HackTool - Wmiexec Default Powershell Command

Rule Info

Tags
attack.defense_evasion DEMO attack.lateral_movement
Modified
None
Author
Nasreddine Bencherchali (Nextron Systems)
Name
HackTool - Wmiexec Default Powershell Command
Description
Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
Date
2023-03-08 00:00:00
Reference
https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py
Id
022eaba8-f0bf-4dd9-9217-4604b0bb3bb0
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=022eaba8-f0bf-4dd9-9217-4604b0bb3bb0

Rule History

Commit
Date
Author
Title
d7083f617
2023-03-13
Nasreddine Bencherchali
fix: apply suggestions from code review
f23780de6
2023-03-09
Nasreddine Bencherchali
feat: update and fixes
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022