The hypothesis is that an adversary is using wmiexec to execute commands and is leveraging the default output file to exfiltrate data or persist within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control activity or data exfiltration attempts.
Detection Rule
title: Wmiexec Default Output File
id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb
status: test
description: Detects the creation of the default output filename used by the wmiexec tool
references:
- https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
- https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-02
modified: 2023-03-08
tags:
- attack.lateral-movement
- attack.execution
- attack.t1047
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|re: '\\Windows\\__1\d{9}\.\d{1,7}$' # Admin$
- TargetFilename|re: 'C:\\__1\d{9}\.\d{1,7}$' # C$
- TargetFilename|re: 'D:\\__1\d{9}\.\d{1,7}$' # D$
condition: selection
falsepositives:
- Unlikely
level: critical
imFileEvent
| where TargetFileName matches regex "\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$" or TargetFileName matches regex "C:\\\\__1\\d{9}\\.\\d{1,7}$" or TargetFileName matches regex "D:\\\\__1\\d{9}\\.\\d{1,7}$"Scenario: System Maintenance Task Using Wmiexec for Log Collection
Description: A system administrator uses wmiexec as part of a scheduled task to collect logs from remote systems.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler service or those with the logonuser field matching the admin account used for maintenance tasks.
Scenario: Automated Patch Deployment via Wmiexec
Description: A patch management tool uses wmiexec to push updates to remote endpoints.
Filter/Exclusion: Exclude processes where the command line includes known patching tool names (e.g., Microsoft Deployment Toolkit, SCCM) or where the destination is a known patch server.
Scenario: Remote PowerShell Session Using Wmiexec
Description: An admin uses wmiexec to establish a remote PowerShell session for troubleshooting.
Filter/Exclusion: Exclude processes where the command line includes powershell.exe or where the user is a domain admin with elevated privileges.
Scenario: Scheduled Job for System Monitoring
Description: A monitoring tool schedules a job that uses wmiexec to check system health or performance metrics.
Filter/Exclusion: Exclude processes initiated by the Schedule service or those that match known monitoring tool names (e.g., SolarWinds, Nagios).
Scenario: Legacy Application Using Wmiexec for Data Sync
Description: An older enterprise application uses wmiexec to synchronize data between servers.
Filter/Exclusion: Exclude processes where the executable path matches known legacy application binaries or where the user is part of a specific application admin group.