Jump to content

Strange Behavior When Scanning WMI Entries

itman

By itman
in Malware Finding and Cleaning

 Share

Recommended Posts

itman

itman 1,659

Posted
Posted

I have a HIPS rule to alert me when any child processes are started from wmiprvse.exe. Up till two weeks ago, that rule was never triggered. At that time when performing an Eset on-demand scan, the rule triggered when scanning WMI entries noting an attempted startup of werfault.exe. Appeared to be a fluke event and I just blocked the werfault.exe startup.

Yesterday while again running an Eset on-demand scan, the same behavior occurred:

Time;Application;Operation;Target;Action;Rule;Additional information
3/26/2023 4:57:56 PM;C:\Windows\System32\wbem\WmiPrvSE.exe;Start new application;C:\WINDOWS\system32\WerFault.exe;Blocked;Deny child processes started from WmiPrvSE.exe;

Here's a screen shot showing command line string input to werfault.exe:

Eset_WMI_Detection.thumb.png.45d6dd1af756dad4e34dd2afc515d5a5.png

At the same time of the HIPS alert, my Win 10 Code Integrity log filled up with entries; most notably Eset eamsi.dll attempting to run:

Eset_AMSI.thumb.png.39b3d86638a7abd0737b1b40923cb301.png

 

Link to comment
Share on other sites
itman

itman 1,659

Posted
  • Author
Posted (edited)

This is the last Win WMI log entry prior to the HIPS alert which is revealing:

Eset_WMI_Log.png.2e3a5d5c456782c407cdb0c34654a0f8.png

Edited by itman
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...