Rules: WMIPRVSE Spawning Process
Observes for child processes spawned by WMIPRVSE
Detail | Value |
---|---|
Type | Templated Match |
Category | Unknown/Other |
Apply Risk to Entities | device_hostname, user_username |
Signal Name | WMIPRVSE Spawning Process |
Summary Expression | Wmiprvse observed spawning child process {{baseImage}} on {{device_hostname}} |
Score/Severity | Static: 3 |
Enabled by Default | True |
Prototype | False |
Tags | _mitreAttackTactic:TA0002, _mitreAttackTechnique:T1047 |
- CrowdStrike - FDR
- CrowdStrike - Falcon
- Digital Guardian - ARC
- Microsoft - Azure
- Microsoft - Defender Advanced Hunting
- Microsoft - Office 365
- Microsoft - Windows
- VMware - Carbon Black Cloud
Origin | Field |
---|---|
Normalized Schema | device_hostname |
Direct from Record | fields['EventData.SubjectLogonId'] |
Normalized Schema | isNull |
Normalized Schema | parentBaseImage |
Normalized Schema | user_userId |
Normalized Schema | user_username |