
Summary
This analytic rule detects the use of the Invoke-WMIExec utility within PowerShell Script Block Logging, specifically monitoring for the EventCode 4104. Invoke-WMIExec is a technique used for remote command execution leveraging Windows Management Instrumentation (WMI) and may signify malicious activity such as lateral movement in a network. By capturing any execution of the command, this analytic can help identify unauthorized accesses and enhance security by alerting administrators to potential threats where NTLMv2 pass-the-hash authentication is employed. Through this rule, defenders can maintain vigilance over WMI command usage, which is essential for preventing and mitigating breaches in a corporate environment.
Categories
- Endpoint
Data Sources
- Pod
ATT&CK Techniques
- T1047
Created: 2024-11-13