Suspicious PowerShell Cmdlets - WMI

calendar Mar 26, 2024 · attack.execution attack.t1047 attack.t1059 attack.t1059.001  ·
Share on: linkedin copy

There are numerous default PowerShell cmdlets that allow administrators to leverage WMI via PowerShell. Both adversaries and administrators use these cmdlets to query the operating system or execute commands, either locally or remotely. Cmdlets like Get-WMIObject are often used for reconnaissance. Part of the RedCanary 2024 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: Suspicious PowerShell Cmdlets - WMI
 2id: e29d3301-3b64-4305-9e91-8aabfbef2015
 3status: experimental
 4description: |
 5    There are numerous default PowerShell cmdlets that allow administrators to leverage WMI via 
 6    PowerShell. Both adversaries and administrators use these cmdlets to query the operating 
 7    system or execute commands, either locally or remotely. Cmdlets like Get-WMIObject are often 
 8    used for reconnaissance. Part of the RedCanary 2024 Threat Detection Report.    
 9references:
10    - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/
11author: RedCanary, Sigma formatting by Micah Babinski
12date: 2024/03/21
13tags:
14    - attack.execution
15    - attack.t1047
16    - attack.t1059
17    - attack.t1059.001
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        Image|endswith: '\powershell.exe'
24        CommandLine|contains:
25            - 'invoke-wmimethod'
26            - 'invoke-cimmethod'
27            - 'get-wmiobject'
28            - 'get-ciminstance'
29            - 'wmiclass'
30    condition: selection
31falsepositives:
32    - Unknown
33level: low```

References

Related rules

to-top