← Back to Explore
sigmacriticalHunting
Wmiexec Default Output File
Detects the creation of the default output filename used by the wmiexec tool
Detection Query
selection:
- TargetFilename|re: \\Windows\\__1\d{9}\.\d{1,7}$
- TargetFilename|re: C:\\__1\d{9}\.\d{1,7}$
- TargetFilename|re: D:\\__1\d{9}\.\d{1,7}$
condition: selection
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-06-02
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.lateral-movementattack.executionattack.t1047
Raw Content
title: Wmiexec Default Output File
id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb
status: test
description: Detects the creation of the default output filename used by the wmiexec tool
references:
- https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
- https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-02
modified: 2023-03-08
tags:
- attack.lateral-movement
- attack.execution
- attack.t1047
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|re: '\\Windows\\__1\d{9}\.\d{1,7}$' # Admin$
- TargetFilename|re: 'C:\\__1\d{9}\.\d{1,7}$' # C$
- TargetFilename|re: 'D:\\__1\d{9}\.\d{1,7}$' # D$
condition: selection
falsepositives:
- Unlikely
level: critical