Remote Execution via WMIC¶
Identifies use of wmic.exe to run commands on remote hosts.
| id: | 07b1481c-2a20-4274-a64e-effcd40941a5 |
|---|---|
| categories: | detect |
| confidence: | low |
| os: | windows |
| created: | 11/30/2018 |
| updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
| tactics: | Lateral Movement, Execution |
|---|---|
| techniques: | T1047 Windows Management Instrumentation |
Query¶
process where subtype.create and process_name == "wmic.exe" and
(command_line == "* /node:*" or command_line == "* -node:*") and
(command_line == "* *process* call *")