Techniques
Sample rules
Remote Process Instantiation via WMI and PowerShell
- source: splunk
- technicques:
- T1047
Description
This analytic looks for the execution of powershell.exe leveraging the Invoke-WmiMethod commandlet complemented with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and powershell.exe for lateral movement and remote code execution.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Invoke-WmiMethod*" AND Processes.process="*-CN*" AND Processes.process="*-Class Win32_Process*" AND Processes.process="*-Name create*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `remote_process_instantiation_via_wmi_and_powershell_filter`
Remote Process Instantiation via WMI and PowerShell Script Block
- source: splunk
- technicques:
- T1047
Description
The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Invoke-WmiMethod commandlet with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and this commandlet for lateral movement and remote code execution.
Detection logic
`powershell` EventCode=4104 ScriptBlockText="*Invoke-WmiMethod*" AND (ScriptBlockText="*-CN*" OR ScriptBlockText="*-ComputerName*") AND ScriptBlockText="*-Class Win32_Process*" AND ScriptBlockText="*-Name create*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `remote_process_instantiation_via_wmi_and_powershell_script_block_filter`