Detection rules › Splunk
Windows WMI Impersonate Token
The following analytic detects potential WMI token impersonation activities in a process or command. It leverages Sysmon EventCode 10 to identify instances where wmiprvse.exe has a duplicate handle or full granted access in a target process. This behavior is significant as it is commonly used by malware like Qakbot for privilege escalation or defense evasion. If confirmed malicious, this activity could allow an attacker to gain elevated privileges, evade defenses, and maintain persistence within the environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1047 Windows Management Instrumentation |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 10 | ProcessAccess |
Stages and Predicates
Stage 1: search
search EventCode=10 GrantedAccess IN ("0x1478", "0x1fffff") SourceImage="*\\wmiprvse.exe"
Stage 2: stats
stats BY CallTrace, EventID, GrantedAccess, Guid, Opcode, ProcessID, SecurityID, SourceImage, SourceProcessGUID, SourceProcessId, TargetImage, TargetProcessGUID, TargetProcessId, UserID, dest, granted_access, parent_process_exec, parent_process_guid, parent_process_id, parent_process_name, parent_process_path, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
GrantedAccess | in |
|
SourceImage | eq |
|