HackTool - Wmiexec Default Powershell Command

Rule Info

Name
HackTool - Wmiexec Default Powershell Command
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
Reference
https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py
Date
2023-03-08 00:00:00
Modified
None
Id
022eaba8-f0bf-4dd9-9217-4604b0bb3bb0
Tags
attack.defense_evasion attack.lateral_movement DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=022eaba8-f0bf-4dd9-9217-4604b0bb3bb0

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #4700 from @nasbench - Promote older rules status from `experimental` to `test`
2024-02-01
367ebd939
Nasreddine Bencherchali
fix: apply suggestions from code review
2023-03-13
d7083f617
Nasreddine Bencherchali
feat: update and fixes
2023-03-09
f23780de6
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022