Skip to content

Commit

Permalink
adding connect-to-wmi-namespace-via-wbemlocator.yml
Browse files Browse the repository at this point in the history
  • Loading branch information
@mike-hunhoff
mike-hunhoff committed May 17, 2021
1 parent e4e6300 commit be24bef
Showing 1 changed file with 20 additions and 0 deletions.
20 changes: 20 additions & 0 deletions nursery/connect-to-wmi-namespace-via-wbemlocator.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# generated using capa explorer for IDA Pro
rule:
meta:
name: connect to WMI namespace via WbemLocator
namespace: host-interaction/wmi
author: [email protected]
scope: function
att&ck:
- Execution::Windows Management Instrumentation [T1047]
features:
- and:
- basic block:
- and:
- api: ole32.CoCreateInstance
- bytes: 11 F8 90 45 3A 1D D0 11 89 1F 00 AA 00 4B 2E 24 = CLSID_WbemLocator
- bytes: 87 A6 12 DC 7F 73 CF 11 88 4D 00 AA 00 4B 2E 24 = IID_IWbemLocator
- offset: 0x18 = ppv->ConnectServer
- optional:
- string: /ROOT\\CIMV2/i
- string: /ROOT\\DEFAULT/i

0 comments on commit be24bef

Please sign in to comment.