Techniques
Sample rules
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
- source: sigma
- technicques:
- t1047
- t1059
- t1059.001
Description
Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
Detection logic
condition: all of selection_*
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
selection_parent:
ParentImage|endswith: \WmiPrvSE.exe