Jump to content

Strange Behavior When Scanning WMI Entries


Recommended Posts

I have a HIPS rule to alert me when any child processes are started from wmiprvse.exe. Up till two weeks ago, that rule was never triggered. At that time when performing an Eset on-demand scan, the rule triggered when scanning WMI entries noting an attempted startup of werfault.exe. Appeared to be a fluke event and I just blocked the werfault.exe startup.

Yesterday while again running an Eset on-demand scan, the same behavior occurred:

Time;Application;Operation;Target;Action;Rule;Additional information
3/26/2023 4:57:56 PM;C:\Windows\System32\wbem\WmiPrvSE.exe;Start new application;C:\WINDOWS\system32\WerFault.exe;Blocked;Deny child processes started from WmiPrvSE.exe;

Here's a screen shot showing command line string input to werfault.exe:

Eset_WMI_Detection.thumb.png.45d6dd1af756dad4e34dd2afc515d5a5.png

At the same time of the HIPS alert, my Win 10 Code Integrity log filled up with entries; most notably Eset eamsi.dll attempting to run:

Eset_AMSI.thumb.png.39b3d86638a7abd0737b1b40923cb301.png

 

Link to comment
Share on other sites

Posted (edited)

This is the last Win WMI log entry prior to the HIPS alert which is revealing:

Eset_WMI_Log.png.2e3a5d5c456782c407cdb0c34654a0f8.png

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...