mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 01:45:21 +00:00
46 lines
1.1 KiB
YAML
46 lines
1.1 KiB
YAML
title: WMImplant Hack Tool
|
|
id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
|
|
status: experimental
|
|
description: Detects parameters used by WMImplant
|
|
references:
|
|
- https://github.com/FortyNorthSecurity/WMImplant
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1047
|
|
- attack.t1059.001
|
|
- attack.t1086 #an old one
|
|
author: NVISO
|
|
date: 2020/03/26
|
|
logsource:
|
|
product: windows
|
|
service: powershell
|
|
definition: Script block logging must be enabled
|
|
detection:
|
|
selection:
|
|
ScriptBlockText|contains:
|
|
- "WMImplant"
|
|
- " change_user "
|
|
- " gen_cli "
|
|
- " command_exec "
|
|
- " disable_wdigest "
|
|
- " disable_winrm "
|
|
- " enable_wdigest "
|
|
- " enable_winrm "
|
|
- " registry_mod "
|
|
- " remote_posh "
|
|
- " sched_job "
|
|
- " service_mod "
|
|
- " process_kill "
|
|
# - " process_start "
|
|
- " active_users "
|
|
- " basic_info "
|
|
# - " drive_list "
|
|
# - " installed_programs "
|
|
- " power_off "
|
|
- " vacant_system "
|
|
- " logon_events "
|
|
condition: selection
|
|
falsepositives:
|
|
- Administrative scripts that use the same keywords.
|
|
level: high
|