HackTool - Wmiexec Default Powershell Command
Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
Sigma rule (View on GitHub)
1title: HackTool - Wmiexec Default Powershell Command
2id: 022eaba8-f0bf-4dd9-9217-4604b0bb3bb0
3status: test
4description: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
5references:
6 - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/03/08
9tags:
10 - attack.defense_evasion
11 - attack.lateral_movement
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 CommandLine|contains: '-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc'
18 condition: selection
19falsepositives:
20 - Unlikely
21level: high
References
-
Impacket is a collection of Python classes for working with network protocols. - fortra/impacket
Read More
Related rules
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE
- New Port Forwarding Rule Added Via Netsh.EXE
- WannaCry Ransomware Activity
- Audit CVE Event
- Outgoing Logon with New Credentials