SigmaHQ/rules/windows/powershell/powershell_wmimplant.yml

46 lines
1.1 KiB
YAML

title: WMImplant Hack Tool
id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
status: experimental
description: Detects parameters used by WMImplant
references:
- https://github.com/FortyNorthSecurity/WMImplant
tags:
- attack.execution
- attack.t1047
- attack.t1059.001
- attack.t1086 #an old one
author: NVISO
date: 2020/03/26
logsource:
product: windows
service: powershell
definition: "Script block logging must be enabled"
detection:
selection:
ScriptBlockText|contains:
- "WMImplant"
- " change_user "
- " gen_cli "
- " command_exec "
- " disable_wdigest "
- " disable_winrm "
- " enable_wdigest "
- " enable_winrm "
- " registry_mod "
- " remote_posh "
- " sched_job "
- " service_mod "
- " process_kill "
# - " process_start "
- " active_users "
- " basic_info "
# - " drive_list "
# - " installed_programs "
- " power_off "
- " vacant_system "
- " logon_events "
condition: selection
falsepositives:
- Administrative scripts that use the same keywords.
level: high