WmiExecutionInfo
WMI execution event occurs only when the WMI method, Win32_process.create() is called.
Property |
Type |
Description |
|---|---|---|
ClassName |
String |
A class containing a triggered method |
ClientMachineFQDN |
String |
Fully qualified domain name of the client machine |
CommandLine |
String |
A command line sent to a method as a list of arguments |
IsLocal |
Bool |
Determines if a method was called locally or remotely |
MethodName |
String |
A method that was triggered |
Example
<rule> <definition> <operations> <operation type="WmiExecution" > <condition component="WmiExecutionInfo" property="CommandLine" condition="is" value="notepad.exe"/> </operation> </operations> </definition> <description> <name>WMI Execution event where argument is notepad.exe</name> <category>Default</category> </description> </rule> |
Supported operations
•WmiExecution