Any kernel driver that allows arbitrary MSR or PCI access is a weapon, regardless of who signed it.
Treat wmbenum.sys like you treat PROCEXP152.sys (the Process Explorer driver): Block it unless you explicitly need it, and audit every load event. Have you found wmbenum.sys loaded outside System32 in your environment? Share your hunting stories in the comments below.
In this post, we will strip away the assumptions and look at what wmbenum.sys actually is, why it exists, and why attackers love to abuse it. Full Path: C:\Windows\System32\drivers\wmbenum.sys Signed By: Microsoft Windows Description: WMI Provider Framework (WMI Explorer)
DeviceImageLoadEvents | where FileName == "wmbenum.sys" | where FolderPath != @"C:\Windows\System32\drivers\wmbenum.sys" Any load from Temp , Users\Public , or Downloads is malicious.