Adversaries may leverage a WMI DLL hijack by deploying a malicious wbemcomn.dll file in the C:\\Windows\\System32\\wbem\\ directory to execute arbitrary code with elevated privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential DLL hijacking attacks that could compromise system integrity and persistence.
Detection Rule
title: Wmiprvse Wbemcomn DLL Hijack - File
id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2022-12-02
tags:
- attack.execution
- attack.t1047
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
category: file_event
detection:
selection:
Image: System
TargetFilename|endswith: '\wbem\wbemcomn.dll'
condition: selection
falsepositives:
- Unknown
level: critical
imFileEvent
| where TargetFilePath =~ "System" and TargetFileName endswith "\\wbem\\wbemcomn.dll"Scenario: A system administrator deploys a legitimate update or patch that includes a wbemcomn.dll file in the C:\Windows\System32\wbem\ directory as part of a Windows Update or Microsoft Support Tools installation.
Filter/Exclusion: Check the file’s hash against known good hashes from Microsoft or use a file integrity monitoring tool to verify the file’s authenticity.
Scenario: A scheduled task runs a script that copies a wbemcomn.dll file into the C:\Windows\System32\wbem\ directory to replace a corrupted or outdated version.
Filter/Exclusion: Exclude files that are created by known legitimate processes or scheduled tasks, such as schtasks.exe or taskhost.exe, and verify the source of the file.
Scenario: A third-party application or service (e.g., Microsoft System Center or a custom monitoring tool) places a wbemcomn.dll file in the wbem directory as part of its installation or configuration process.
Filter/Exclusion: Exclude files created by known trusted applications or services, or use a file owner or process origin check to validate legitimacy.
Scenario: A system administrator uses a tool like PsExec or WMIC to remotely deploy a wbemcomn.dll file for administrative purposes, such as custom WMI extensions or remote management.
Filter/Exclusion: Exclude files created by remote execution tools or by processes with known administrative privileges, and validate the source IP or user context.
Scenario: A legitimate security tool, such as Microsoft Defender ATP or a third-party endpoint protection platform, places a wbemcomn.dll file in the wbem directory as part of its runtime or update process.
Filter/Exclusion: Exclude files associated with known security tools or use a file signature check to