LoFP LoFP / ccm

Techniques

Sample rules

Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell

Description

Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.

Detection logic

condition: all of selection_*
selection_img:
- Image|endswith:
  - \powershell.exe
  - \pwsh.exe
- OriginalFileName:
  - PowerShell.EXE
  - pwsh.dll
selection_parent:
  ParentImage|endswith: \WmiPrvSE.exe