WMI Suspicious Powershell Cmdlets (RedCanary Threat Detection Report)
Detects WMI-related suspicious powershell cmdlets. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: WMI Suspicious Powershell Cmdlets (RedCanary Threat Detection Report)
2id: 75b32717-173f-45d0-9447-be84f8bdcce5
3status: experimental
4description: Detects WMI-related suspicious powershell cmdlets. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.execution
11 - attack.t1047
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\powershell.exe'
18 CommandLine|contains:
19 - 'invoke-wmimethod'
20 - 'invoke-cimmethod'
21 - 'get-wmiobject'
22 - 'get-ciminstance'
23 - 'wmiclass'
24 condition: selection
25falsepositives:
26 - Unknown.
27level: low```
References
-
Windows Management Instrumentation is a mainstay in our top 10 techniques, largely due to adversary abuse of Impacket’s WMIexec module.
Read More
Related rules
- Office Products Spawning WMI (RedCanary Threat Detection Report)
- WMI Reconnaissance (RedCanary Threat Detection Report)
- WMI Shadow Copy Deletion (RedCanary Threat Detection Report)
- WMI Suspicious Commands (RedCanary Threat Detection Report)
- WMI Suspicious Process Lineage (RedCanary Threat Detection Report)