Hunting for Impacket's WmiExec Using Entropy & Graphs
Description: Hunting for the presence of Impacket’s WmiExec commands on a host by calculating & graphing entropy
This blog post will dive into calculating and graphing the entropy of Powershell commands in an attempt to discover the use of impacket’s wmiexec.py tool. The data set we’ll be using is in a CSV format and is exported from SysInternals' Process Monitor (ProcMon) tool. I generated this data by running benign commands, then using wmiexec to remotely log into a system & running some commands as well.
You can find the Python code used for this blog post here
When using wmiexec.py, you can opt to default to use the Powershell shell type by specifying the -shell-type option like so:
wmiexec.py -shell-type powershell administrator@<IP Address>.
Let’s do this & then run whoami once we get a shell to see what this event would look like within Procmon.
Viewing this event in Procmon, it’d look like this:
Full expanded command: 
My initial assumption when looking at the command line is that there’s likely a high entropy associated with it due to the amount of randomness within the encoded base64 command as well as the Unix format timestamp file that the output of the command is sent to.
Throwing this full command into Cyberchef’s Shannon Entropy calculator tells us that the command has an entropy of 5.25. If we throw a basic command in there, such as cmd.exe /c whoami shows us that there’s an entropy of 3.68. The difference isn’t that large, but it’s definitely noticeable.
I believe that the difference would be much more visually noticeable when you graph the various entropy values of different benign commands along with malicious commands that wmiexec runs. Let’s get to graphing to test this theory out. I’ll be using Python to calculate the entropy & visualize the data with Plotly.
The first 4 bars represent benign commands, such as:
powershell.exe /c dircmd.exe /Q /c powershell.exe /c dirpowershell.exe /c whoamicmd.exe /Q /c powershell.exe /c whoami
The remaining 8 bars represent malicious commands ran on a system by wmiexec.
As you can probably tell, there’s a significant visual difference in entropy when comparing benign commands & malicious wmiexec commands.
There’s also a noticeable difference in entropy between the parent command ran (cmd.exe /Q /c powershell.exe -NoP <etc>) & the child command spawned (powershell.exe -NoP <etc>). For example:
The above image shows how the parent command has an entropy of 5.230266 while the spawned child command has a slightly lower entropy of 4.730619.
So the parent command has a higher entropy when compared to the child command it spawns which is visually noticeable. I think what contributes to this is the Unix-format timestamp that the parent command uses to send the output of the command into since it contains a bit of randomness (EX: \\\\127.0.0.1\\ADMIN$\\__1728703906.3910286)
Let’s only graph out the parent command (cmd.exe /Q /c powershell.exe -NoP <etc>) to maximize how visually noticeable the difference is between benign & malicious commands:
As you can see, the first two bars are benign commands while the rest are malicious. There’s a noticeable difference visually since the benign commands are both below an entropy of 4 while the malicious commands all have an entropy above 5.
Overall, using entropy combined with graphing is a a single useful method that can be utilized in order to detect suspicious randomness in commands being ran on a particular system by tools such as wmiexec. This may be a decent indicator of something like base64 being used inside of a command or randomly generated filenames which may be suspicious and require further investigation. I would love to see how scalable this method is in the future so I may look into that next.