The detection identifies the creation of a file named wpbbin in the Windows directory, which is a common indicator of UEFI persistence used by adversaries to maintain long-term access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threats that leverage firmware-level persistence techniques.
Detection Rule
title: UEFI Persistence Via Wpbbin - FileCreation
id: e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f
status: test
description: Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
references:
- https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
- https://persistence-info.github.io/Data/wpbbin.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-18
tags:
- attack.persistence
- attack.defense-evasion
- attack.t1542.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\System32\wpbbin.exe'
condition: selection
falsepositives:
- Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)
level: high
imFileEvent
| where TargetFileName =~ "C:\\Windows\\System32\\wpbbin.exe"Scenario: System Restore Point Creation
Description: A system administrator creates a system restore point using tools like System File Checker or DISM which may trigger file creation in system directories.
Filter/Exclusion: Check for CreationTime within a known restore point creation window or filter by ProcessName like dism.exe or sfc.exe.
Scenario: Scheduled Task for System Maintenance
Description: A legitimate scheduled task (e.g., Task Scheduler) runs a script or executable that creates temporary files in system directories.
Filter/Exclusion: Filter by ProcessName such as schtasks.exe or taskhost.exe, or check for CommandLine containing known maintenance scripts.
Scenario: Windows Update or Patching Process
Description: Windows Update or Microsoft Endpoint Manager (MEM) may create temporary files during patching or update installation.
Filter/Exclusion: Filter by ProcessName like wuauclt.exe, msiexec.exe, or setup.exe, or check for FileVersion matching known Windows update components.
Scenario: Admin Tool for System Configuration
Description: An administrator uses tools like PowerShell or Group Policy Management Console (GPMC) to create configuration files in system directories.
Filter/Exclusion: Filter by ProcessName such as powershell.exe or gpmc.msc, or check for CommandLine containing known administrative commands.
Scenario: Antivirus or Endpoint Protection Quarantine
Description: Antivirus software (e.g., Microsoft Defender, Bitdefender, Kaspersky) may create quarantine files or temporary files during scan operations.
Filter/Exclusion: Filter by ProcessName like MsMpEng.exe, bdagent.exe,