execute shell command via Windows Remote Management

edit on GitHub
search on VirusTotal

# generated using capa explorer for IDA Pro
rule:
  meta:
    name: execute shell command via Windows Remote Management
    namespace: host-interaction/process/create
    authors:
      - michael.hunhoff@mandiant.com
    scopes:
      static: function
      dynamic: thread
  features:
    - and:
      - or:
        - api: wsmsvc.WSManRunShellCommand
        - api: wsmsvc.WSManRunShellCommandEx
      - optional:
        - api: wsmsvc.WSManCreateShell

last edited: 2023-11-24 10:34:28