Wmiexec Default Output File
Detects the creation of the default output filename used by the wmiexec tool
Sigma rule (View on GitHub)
1title: Wmiexec Default Output File
2id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb
3status: test
4description: Detects the creation of the default output filename used by the wmiexec tool
5references:
6 - https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
7 - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/06/02
10modified: 2023/03/08
11tags:
12 - attack.lateral_movement
13 - attack.t1047
14logsource:
15 category: file_event
16 product: windows
17detection:
18 selection:
19 - TargetFilename|re: '\\Windows\\__1\d{9}\.\d{1,7}$' # Admin$
20 - TargetFilename|re: 'C:\\__1\d{9}\.\d{1,7}$' # C$
21 - TargetFilename|re: 'D:\\__1\d{9}\.\d{1,7}$' # D$
22 condition: selection
23falsepositives:
24 - Unlikely
25level: critical
References
-
This blog deep dives into wmiexec usage seen from multiple incident response investigations, and describes indicators to help defenders detect wmiexec.
Read More -
Impacket is a collection of Python classes for working with network protocols. - fortra/impacket
Read More
Related rules
- PSExec and WMI Process Creations Block
- Remote DCOM/WMI Lateral Movement
- T1047 Wmiprvse Wbemcomn DLL Hijack
- HackTool - Potential Impacket Lateral Movement Activity
- Wmiprvse Wbemcomn DLL Hijack