Wmiexec Default Output File

 1title: Wmiexec Default Output File
 2id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb
 3status: test
 4description: Detects the creation of the default output filename used by the wmiexec tool
 5references:
 6    - https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
 7    - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-06-02
10modified: 2023-03-08
11tags:
12    - attack.lateral-movement
13    - attack.t1047
14logsource:
15    category: file_event
16    product: windows
17detection:
18    selection:
19        - TargetFilename|re: '\\Windows\\__1\d{9}\.\d{1,7}$' # Admin$
20        - TargetFilename|re: 'C:\\__1\d{9}\.\d{1,7}$' # C$
21        - TargetFilename|re: 'D:\\__1\d{9}\.\d{1,7}$' # D$
22    condition: selection
23falsepositives:
24    - Unlikely
25level: critical

References

• How to Detect and Prevent impacket's Wmiexec | CrowdStrike

  This blog deep dives into wmiexec usage seen from multiple incident response investigations, and describes indicators to help defenders detect wmiexec.

  
  Read More

• impacket/examples/wmiexec.py at f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a · fortra/impacket

  

  Impacket is a collection of Python classes for working with network protocols. - fortra/impacket

  
  Read More

Related rules

• HackTool - Potential Impacket Lateral Movement Activity
• PSExec and WMI Process Creations Block
• Remote DCOM/WMI Lateral Movement
• T1047 Wmiprvse Wbemcomn DLL Hijack
• Wmiprvse Wbemcomn DLL Hijack