mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 10:13:57 +00:00
36 lines
1.1 KiB
YAML
36 lines
1.1 KiB
YAML
|
title: Suspicious Scripting in a WMI Consumer
|
||
|
status: experimental
|
||
|
description: Detects suspicious scripting in WMI Event Consumers
|
||
|
author: Florian Roth
|
||
|
references:
|
||
|
- https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
|
||
|
- https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19
|
||
|
date: 2019/04/15
|
||
|
tags:
|
||
|
- attack.t1086
|
||
|
- attack.execution
|
||
|
logsource:
|
||
|
product: windows
|
||
|
service: sysmon
|
||
|
detection:
|
||
|
selection:
|
||
|
EventID: 20
|
||
|
Destination:
|
||
|
- '*new-object system.net.webclient).downloadstring(*'
|
||
|
- '*new-object system.net.webclient).downloadfile(*'
|
||
|
- '*new-object net.webclient).downloadstring(*'
|
||
|
- '*new-object net.webclient).downloadfile(*'
|
||
|
- '* iex(*'
|
||
|
- '*WScript.shell*'
|
||
|
- '* -nop *'
|
||
|
- '* -noprofile *'
|
||
|
- '* -decode *'
|
||
|
- '* -enc *'
|
||
|
condition: selection
|
||
|
fields:
|
||
|
- CommandLine
|
||
|
- ParentCommandLine
|
||
|
falsepositives:
|
||
|
- Administrative scripts
|
||
|
level: high
|