Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell

Aug 12, 2024 · attack.execution attack.t1047 attack.t1059.001 ·

Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.

Sigma rule (View on GitHub)

 1title: Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
 2id: 692f0bec-83ba-4d04-af7e-e884a96059b6
 3related:
 4    - id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
 5      type: similar
 6    - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
 7      type: similar
 8status: stable
 9description: Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
10references:
11    - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
12author: Markus Neis @Karneades
13date: 2019-04-03
14modified: 2023-03-29
15tags:
16    - attack.execution
17    - attack.t1047
18    - attack.t1059.001
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_parent:
24        ParentImage|endswith: '\WmiPrvSE.exe'
25    selection_img:
26        - Image|endswith:
27              - '\powershell.exe'
28              - '\pwsh.exe'
29        - OriginalFileName:
30              - 'PowerShell.EXE'
31              - 'pwsh.dll'
32    condition: all of selection_*
33falsepositives:
34    - AppvClient
35    - CCM
36    - WinRM
37level: medium

References

Malware analysis ACC_E85297.doc Malicious activity | ANY.RUN - Malware Sandbox Online

Online sandbox report for ACC_E85297.doc, tagged as macros, macros-on-open, generated-doc, loader, emotet, emotet-doc, verdict: Malicious activity

Read More

Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell

Sigma rule (View on GitHub)

References

Malware analysis ACC_E85297.doc Malicious activity | ANY.RUN - Malware Sandbox Online

Related rules