legitimate system administration

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml>sigma
technicques: t1047

Techniques

Detects successful logon attempts performed with WMI

condition: selection
selection:
  EventID: 4624
  ProcessName|endswith: \WmiPrvSE.exe