DeviceImageLoadEvents | where FileName == "wmbenum.sys" | where FolderPath != @"C:\Windows\System32\drivers\wmbenum.sys" Any load from Temp , Users\Public , or Downloads is malicious.
Treat wmbenum.sys like you treat PROCEXP152.sys (the Process Explorer driver): Block it unless you explicitly need it, and audit every load event. Have you found wmbenum.sys loaded outside System32 in your environment? Share your hunting stories in the comments below. wmbenum.sys driver
Get-AuthenticodeSignature "C:\Windows\System32\drivers\wmbenum.sys" While the legitimate one is signed by Microsoft, attackers can also sign their modified version with a stolen cert. Check the SignerCertificate thumbprint against Microsoft's official root. DeviceImageLoadEvents | where FileName == "wmbenum