WmiExecutionInfo
WMI execution event occurs only when the WMI method, Win32_process.create() is called.
Property |
Type |
Description |
|---|---|---|
MethodName |
String |
A method that was triggered |
ClassName |
String |
A class containing a triggered method |
CommandLine |
String |
A command line sent to a method as a list of arguments |
IsLocal |
Bool |
Determines if a method was called locally or remotely |
Example:
<rule> <definition> <operations> <operation type="WmiExecution" > <condition component="WmiExecutionInfo" property="CommandLine" condition="is" value="notepad.exe"/> </operation> </operations> </definition> <description> <name>WMI Execution event where argument is notepad.exe</name> <category>Default</category> </description> </rule> |
Supported Operations and their components:
|
WmiExecutionInfo |
|---|---|
WmiExecution |
X |