action: global
title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
id: 074e0ded-6ced-4ebd-8b4d-53f55908119d
description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
status: experimental
references:
    - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
author: Julia Fomina, oscd.community
date: 2020/10/06
tags:
    - attack.defense_evasion
    - attack.t1216
level: medium
falsepositives:
    - Unlikely
---
logsource:
    category: process_creation
    product: windows
detection:
    contains_format_pretty_arg:       
        CommandLine|contains:
            - 'format:pretty'
            - 'format:"pretty"'
            - 'format:"text"'
            - 'format:text'
    image_from_system_folder:
        Image|startswith: 
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    contains_winrm:
        CommandLine|contains: 'winrm'
    condition: contains_winrm and (contains_format_pretty_arg and not image_from_system_folder)
---
logsource:
    product: windows
    category: file_event
detection:
    system_files:
        TargetFilename|endswith: 
            - 'WsmPty.xsl'
            - 'WsmTxt.xsl'
    in_system_folder:
        TargetFilename|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: system_files and not in_system_folder