LoFP LoFP / legitimate system administration

Techniques

Sample rules

Successful Account Login Via WMI

Description

Detects successful logon attempts performed with WMI

Detection logic

condition: selection
selection:
  EventID: 4624
  ProcessName|endswith: \WmiPrvSE.exe