capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard
verified publisher icon mandiant

add coverage for process manipulation via WMI Win32_Process

Open mike-hunhoff opened this issue 4 years ago • 1 comments

The Win32_Process WMI class represents a process on an operating system.

https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/create-method-in-class-win32-process https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/terminate-method-in-class-win32-process

mike-hunhoff avatar Oct 18 '21 15:10 mike-hunhoff

similar to #470.

create process via Win32_Process:

...
- and:
  -  string: "Win32_Process"
  - or:
    - string: "Create"

terminate process via Win32_Process:

...
- and:
  -  string: "Win32_Process"
  - or:
    - string: "Terminate"

mike-hunhoff avatar Nov 15 '21 19:11 mike-hunhoff