Suspicious WMI-Related Powershell Cmdlets

calendar Nov 9, 2022 · attack.execution attack.t1059 attack.t1059.001 attack.t1047  ·
Share on: linkedin copy

Detects potential adversaries using powershell WMI-related cmdlets to query the operating system or execute commands, either locally or remotely. Inspired by the 2022 Red Canary Threat Detection report.

Sigma rule (View on GitHub)

 1title: Suspicious WMI-Related Powershell Cmdlets
 2id: c920d5b8-0e50-40ef-8f1a-5eb27399f455
 3status: experimental
 4description: Detects potential adversaries using powershell WMI-related cmdlets to
 5    query the operating system or execute commands, either locally or remotely. Inspired
 6    by the 2022 Red Canary Threat Detection report.
 7references:
 8    - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/
 9author: Micah Babinski
10date: 2022/11/03
11tags:
12    - attack.execution
13    - attack.t1059
14    - attack.t1059.001
15    - attack.t1047
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        Image|endswith: '\powershell.exe'
22        CommandLine|contains:
23            - 'invoke-wmimethod'
24            - 'invoke-cimmethod'
25            - 'get-wmiobject'
26            - 'getciminstance'
27            - 'wmiclass'
28    condition: selection
29falsepositives:
30    - Unknown
31level: medium```

References

Related rules

to-top