Techniques
Sample rules
PowerShell Invoke WmiExec Usage
- source: splunk
- technicques:
- T1047
Description
The following analytic detects the usage of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). The utility is used for executing WMI commands on targets using NTLMv2 pass-the-hash authentication.
Detection logic
`powershell` EventCode=4104 ScriptBlockText IN ("*invoke-wmiexec*")
| stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_invoke_wmiexec_usage_filter`