Impacket WMIExec.py Execution (RedCanary Threat Detection Report)
Detects execution from Impacket's wmiexec.py. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Impacket WMIExec.py Execution (RedCanary Threat Detection Report)
2id: 26d79902-98ac-43f8-b669-99486e2b5126
3status: experimental
4description: Detects execution from Impacket's wmiexec.py. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/threats/impacket/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.s0357
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection:
16 ParentImage|endswith: '\wmiprvse.exe'
17 Image|endswith: '\cmd.exe'
18 CommandLine|re: '(?i)cmd.exe \/Q \/c .*\\\\127.0.0.1\\ADMIN\$\\__[0-9]{1,10}\.[0-9]{1,10} 2>&1'
19 condition: selection
20falsepositives:
21 - Unknown
22level: low```
References
-
Though Impacket is used legitimately for testing, it is often abused by ransomware operators and other adversaries.
Read More
Related rules
- Impacket SMBexec.py Execution (RedCanary Threat Detection Report)
- Impacket Atexec.py Execution (RedCanary Threat Detection Report)
- Impacket AtExec Process Activity
- Possible Impacket GetUserSPNs Activity
- Suspicious Impacket PSExec Temp Executable File Creation