LoFP / this is meant to be a low risk rba anomaly analytic or to be used for hunting. enable this with a low risk score and let it generate risk in the risk index.

Techniques

• T1059.001

Sample rules

Windows PowerShell Get CIMInstance Remote Computer

• source: splunk
• technicques:
  • T1059.001

Description

This analytic identifies the use of Get-CimInstance cmdlet with the -ComputerName parameter, which indicates that the cmdlet is being used to retrieve information from a remote computer. This can be useful for detecting instances of remote access, such as when an attacker uses PowerShell to connect to a remote system and gather information. By monitoring for this cmdlet with the -ComputerName parameter, security analysts can identify potential malicious activity on remote systems and take appropriate action to mitigate any threats.

Detection logic

`powershell` EventCode=4104 ScriptBlockText="*get-ciminstance*" AND ScriptBlockText="*computername*"  
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_powershell_get_ciminstance_remote_computer_filter`