ioc[.]one - OSINT Cyber Threat Intelligence Database

LetsDefend SA Event ID: 71, SOC134 — Suspicious WMI Activity

Tags

attack-pattern:

Credentials - T1589.001 Malware - T1587.001 Malware - T1588.001 Python - T1059.006 Windows Management Instrumentation - T1047

Show in Graph

Common Information

Type	Value
UUID	52fe2ef1-7880-40ea-9a21-3dfc4f593a56
Fingerprint	2694151f29a69711
Analysis status	DONE
Considered CTI value	0
Text language
Published	Oct. 4, 2024, 9:54 p.m.
Added to db	Oct. 5, 2024, 12:59 a.m.
Last updated	Nov. 17, 2024, 6:50 p.m.
Headline	LetsDefend SA Event ID: 71, SOC134 — Suspicious WMI Activity
Title	LetsDefend SA Event ID: 71, SOC134 — Suspicious WMI Activity
Detected Hints/Tags/Attributes	34/1/18

Source URLs

	Redirection	Url
Details	Source	https://medium.com/@abalonpsalmer/letsdefend-sa-event-id-71-soc134-suspicious-wmi-activity-3a46240c7126?source=rss------cybersecurity-5

URL Provider

Details	Provider	Source level domain
Details	medium.com	medium.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	167	✔	Cybersecurity on Medium	https://medium.com/feed/tag/cybersecurity	2024-08-30 22:08

Attributes

Details	Type	#Events	CTI	Value
Details	Domain	49		wmiexec.py
Details	Domain	1		rat.new
Details	Domain	93		bazaar.abuse.ch
Details	Domain	172		www.crowdstrike.com
Details	Domain	1		wadcoms.github.io
Details	File	45		wmiexec.py
Details	File	142		wmiprvse.exe
Details	File	306		services.exe
Details	File	5		browse.php
Details	md5	1		50459310eded4c520ab5c9e3626a9300
Details	sha256	1		be77e6113a985dc305be15ec419411bb840b69f8652d33fa919ae5c797b3ea85
Details	IPv4	1		172.16.17.54
Details	IPv4	1441		127.0.0.1
Details	Url	1		https://www.virustotal.com/gui/file/be77e6113a985dc305be15ec419411bb840b69f8652d33fa919ae5c797b3ea85/community
Details	Url	1		https://www.hybrid-analysis.com/sample/be77e6113a985dc305be15ec419411bb840b69f8652d33fa919ae5c797b3ea85/64c8e17fcec21d4b1e0d96bc
Details	Url	1		https://bazaar.abuse.ch/browse.php?search=md5:50459310eded4c520ab5c9e3626a9300
Details	Url	1		https://www.crowdstrike.com/en-us/blog/how-to-detect-and-prevent-impackets-wmiexec
Details	Url	1		https://wadcoms.github.io/wadcoms/impacket-wmiexec