WMI used to remotely execute content
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
What happened
{{ @process.executable.name }}
spawned from Windows Management Instrumentation (WMI), which could indicate lateral movement from another compromised host.
Goal
Detects when WMI spawns a shell to execute content.
Strategy
Threat actors are known to utilize tools found natively in a victim’s environment to accomplish their objectives. Windows Management Instrumentation, a legitimate Windows capability, has been abused by malicious actors in the past to execute content on remote systems.
Triage and response
- Identify what is being executed, and if it is authorized.
- Identify account used to remotely authenticate to the host.
- If it’s not authorized, isolate the host from the network, and lock down potentially compromised account.
- Follow your organization’s internal processes for investigating and remediating compromised systems.
Requires Agent version 7.50.0 or greater.