```yaml title: Impacket WmiExec Lateral Movement id: edr-win-lat-impacket-wmiexec status: stable description: > Detects Impacket-based lateral movement by identifying cmd.exe or PowerShell spawning from WMI provider (wmiprvse.exe), services.exe, or task scheduler with output redirected to \\127.0.0.1\ADMIN$ or C$\Windows\Temp — Impacket's signature output pattern. Covers wmiexec, smbexec, and atexec modules. references: - https://github.com/fortra/impacket - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild author: ShroudCloud date: 2026/04/14 modified: 2026/04/14 tags: - attack.lateral_movement - attack.execution - attack.t1047 - attack.t1021.002 logsource: category: process_creation product: windows detection: selection_wmiexec: ParentImage|endswith: - '\wmiprvse.exe' - '\mmc.exe' - '\services.exe' Image|endswith: - '\cmd.exe' - '\powershell.exe' - '\pwsh.exe' CommandLine|contains|all: - '/Q /c' - '\\\\' - '&1' selection_atexec: ParentImage|endswith: - '\svchost.exe' - '\taskeng.exe' Image|endswith: - '\cmd.exe' - '\powershell.exe' - '\pwsh.exe' CommandLine|contains|all: - '/c' - 'Windows\Temp\' - '&1' condition: selection_wmiexec or selection_atexec falsepositives: - Remote administration tools that redirect output to ADMIN$ (rare) level: critical ```