Techniques
Sample rules
Remote WMI Command Attempt
- source: splunk
- technicques:
- T1047
Description
The following analytic identifies usage of wmic.exe spawning a local or remote process, identified by the node switch. During triage, review parallel processes for additional commands executed. Look for any file modifications before and after wmic.exe execution. In addition, identify the remote endpoint and confirm execution or file modifications. Contain and isolate the endpoint as needed.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process=*node* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `remote_wmi_command_attempt_filter`