← Back to SOC feed Coverage →

Wab/Wabmig Unusual Parent Or Child Processes

sigma HIGH SigmaHQ
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-23T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity

Detection Rule

Sigma (Original)

title: Wab/Wabmig Unusual Parent Or Child Processes
id: 63d1ccc0-2a43-4f4b-9289-361b308991ff
status: test
description: Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
references:
    - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2022-09-27
tags:
    - attack.execution
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            # Add more if known
            - \WmiPrvSE.exe
            - \svchost.exe
            - \dllhost.exe
        Image|endswith:
            - '\wab.exe'
            - '\wabmig.exe' # (Microsoft Address Book Import Tool)
    selection_child:
        # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy
        ParentImage|endswith:
            - '\wab.exe'
            - '\wabmig.exe' # (Microsoft Address Book Import Tool)
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (((ParentProcessName endswith "\\WmiPrvSE.exe" or ParentProcessName endswith "\\svchost.exe" or ParentProcessName endswith "\\dllhost.exe") or (ActingProcessName endswith "\\WmiPrvSE.exe" or ActingProcessName endswith "\\svchost.exe" or ActingProcessName endswith "\\dllhost.exe")) and (TargetProcessName endswith "\\wab.exe" or TargetProcessName endswith "\\wabmig.exe")) or ((ParentProcessName endswith "\\wab.exe" or ParentProcessName endswith "\\wabmig.exe") or (ActingProcessName endswith "\\wab.exe" or ActingProcessName endswith "\\wabmig.exe"))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml