false positives should be limited as this analytic is designed to detect a specific utility. it is recommended to apply appropriate filters as needed to minimize the number of false positives.

t1047
endpoint
splunk

Techniques

T1047

Sample rules

PowerShell Invoke WmiExec Usage

source: splunk
technicques:
- T1047

Description

The following analytic detects the execution of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). This detection leverages PowerShell script block logs to identify instances where the Invoke-WMIExec command is used. Monitoring this activity is crucial as it indicates potential lateral movement using WMI commands with NTLMv2 pass-the-hash authentication. If confirmed malicious, this activity could allow an attacker to execute commands remotely on target systems, potentially leading to further compromise and lateral spread within the network.

Detection logic

`powershell` EventCode=4104 ScriptBlockText IN ("*invoke-wmiexec*") 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `powershell_invoke_wmiexec_usage_filter`