LoFP / false positives may be present based on third-party applications or administrators using cim. it is recommended to apply appropriate filters as needed to minimize the number of false positives.

Techniques

• T1047

Sample rules

PowerShell Invoke CIMMethod CIMSession

• source: splunk
• technicques:
  • T1047

Description

The following analytic detects the creation of a New-CIMSession cmdlet followed by the use of the Invoke-CIMMethod cmdlet within PowerShell. It leverages PowerShell Script Block Logging to identify these specific cmdlets in the ScriptBlockText field. This activity is significant because it mirrors the behavior of the Invoke-WMIMethod cmdlet, often used for remote code execution via NTLMv2 pass-the-hash authentication. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access and control over targeted systems.

Detection logic

`powershell` EventCode=4104 ScriptBlockText IN ("*invoke-CIMMethod*", "*New-CimSession*") 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `powershell_invoke_cimmethod_cimsession_filter`