-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
/
powershell_wmimplant.yml
45 lines (45 loc) · 1.09 KB
/
powershell_wmimplant.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
title: WMImplant Hack Tool
id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
status: experimental
description: Detects parameters used by WMImplant
references:
- https://github.com/FortyNorthSecurity/WMImplant
tags:
- attack.execution
- attack.t1047
- attack.t1059.001
- attack.t1086 #an old one
author: NVISO
date: 2020/03/26
logsource:
product: windows
service: powershell
definition: Script block logging must be enabled
detection:
selection:
ScriptBlockText|contains:
- "WMImplant"
- " change_user "
- " gen_cli "
- " command_exec "
- " disable_wdigest "
- " disable_winrm "
- " enable_wdigest "
- " enable_winrm "
- " registry_mod "
- " remote_posh "
- " sched_job "
- " service_mod "
- " process_kill "
# - " process_start "
- " active_users "
- " basic_info "
# - " drive_list "
# - " installed_programs "
- " power_off "
- " vacant_system "
- " logon_events "
condition: selection
falsepositives:
- Administrative scripts that use the same keywords.
level: high