rule:
meta:
name: access WMI data in .NET
namespace: host-interaction/wmi
authors:
- michael.hunhoff@mandiant.com
scopes:
static: function
dynamic: thread
att&ck:
- Execution::Windows Management Instrumentation [T1047]
features:
- or:
- and:
- api: System.Management.ManagementClass::ctor
- optional:
- api: System.Management.ManagementClass::GetInstances
- api: System.Management.ManagementObjectCollection::GetEnumerator
- and:
- api: System.Management.ManagementObjectSearcher::Get
- optional:
- api: System.Management.ManagementObjectSearcher::ctor
last edited: 2023-11-24 10:34:28