Skip to content

Latest commit

 

History

History
35 lines (28 loc) · 1011 Bytes

MATCH-S00150.md

File metadata and controls

35 lines (28 loc) · 1011 Bytes

Rules: WMI Launching Shell

Description

Observes for Windows Management Instrumentation (WMI) launching a shell

Additional Details

Detail Value
Type Templated Match
Category Execution
Apply Risk to Entities device_hostname, device_ip, user_username
Signal Name WMI Launching Shell
Summary Expression A WMI process has been used to launch a shell on host: {{device_hostname}}
Score/Severity Static: 1
Enabled by Default True
Prototype False
Tags _mitreAttackTactic:TA0002, _mitreAttackTechnique:T1047

Vendors and Products

Fields Used

Origin Field
Normalized Schema LOWER
Normalized Schema baseImage
Normalized Schema commandLine
Normalized Schema device_hostname
Normalized Schema device_ip
Normalized Schema parentBaseImage
Normalized Schema user_username