← Library
sigmaDRL-1.1from SigmaHQ/sigma

UEFI Persistence Via Wpbbin - FileCreation

Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1542.001
Rule sourcerules/windows/file/file_event/file_event_win_wpbbin_persistence.yml
title: UEFI Persistence Via Wpbbin - FileCreation
id: e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f
status: test
description: Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
references:
    - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
    - https://persistence-info.github.io/Data/wpbbin.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-18
tags:
    - attack.persistence
    - attack.defense-evasion
    - attack.t1542.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename: 'C:\Windows\System32\wpbbin.exe'
    condition: selection
falsepositives:
    - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)
level: high