false positives should be limited as this analytic is designed to detect a specific utility. it is recommended to apply appropriate filters as needed to minimize the number of false positives.

t1047
endpoint
splunk

Techniques

T1047

Sample rules

PowerShell Invoke WmiExec Usage

source: splunk
technicques:
- T1047

Description

The following analytic detects the usage of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). The utility is used for executing WMI commands on targets using NTLMv2 pass-the-hash authentication.

Detection logic

`powershell` EventCode=4104 ScriptBlockText IN ("*invoke-wmiexec*") 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `powershell_invoke_wmiexec_usage_filter`