# generated using capa explorer for IDA Pro
rule:
meta:
name: connect to WMI namespace via WbemLocator
namespace: host-interaction/wmi
authors:
- michael.hunhoff@mandiant.com
scopes:
static: function
dynamic: call
att&ck:
- Execution::Windows Management Instrumentation [T1047]
examples:
- al-khaser_x64.exe_:0x14001956e
- al-khaser_x86.exe_:0x00445270
features:
- or:
- call:
- description: dynamic detection rule
- or:
- and:
- api: ole32.CoCreateInstance
- com/class: WbemLocator # 11 F8 90 45 3A 1D D0 11 89 1F 00 AA 00 4B 2E 24 = CLSID_WbemLocator
- and:
- match: host-interaction/process/create
- or:
- string: /wmic(|\.exe) /i
- string: /Register-WMIEvent /i
- and:
- description: static detection rule
- basic block:
- and:
- api: ole32.CoCreateInstance
- com/class: WbemLocator # 11 F8 90 45 3A 1D D0 11 89 1F 00 AA 00 4B 2E 24 = CLSID_WbemLocator
- com/interface: IWbemLocator # 87 A6 12 DC 7F 73 CF 11 88 4D 00 AA 00 4B 2E 24 = IID_IWbemLocator
- basic block:
- or:
- and:
- arch: i386
- offset: 0xC = ppv->ConnectServer
- and:
- arch: amd64
- offset: 0x18 = ppv->ConnectServer
- optional:
- string: /ROOT\\CIMV2/i
- string: /ROOT\\DEFAULT/i
last edited: 2024-11-22 15:12:11