2020-03-27 15:08:35 +01:00
|
|
|
title: WMImplant Hack Tool
|
|
|
|
|
id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
|
|
|
|
|
status: experimental
|
|
|
|
|
description: Detects parameters used by WMImplant
|
|
|
|
|
references:
|
|
|
|
|
- https://github.com/FortyNorthSecurity/WMImplant
|
|
|
|
|
tags:
|
|
|
|
|
- attack.execution
|
|
|
|
|
- attack.t1047
|
2020-08-25 23:51:22 +00:00
|
|
|
- attack.t1059.001
|
|
|
|
|
- attack.t1086 #an old one
|
2020-03-27 15:08:35 +01:00
|
|
|
author: NVISO
|
|
|
|
|
date: 2020/03/26
|
2021-10-16 08:18:49 +02:00
|
|
|
modified: 2021/10/16
|
2020-03-27 15:08:35 +01:00
|
|
|
logsource:
|
|
|
|
|
product: windows
|
2021-10-16 08:18:49 +02:00
|
|
|
category: ps_script
|
2021-08-21 09:50:59 +02:00
|
|
|
definition: Script block logging must be enabled
|
2020-03-27 15:08:35 +01:00
|
|
|
detection:
|
|
|
|
|
selection:
|
|
|
|
|
ScriptBlockText|contains:
|
|
|
|
|
- "WMImplant"
|
|
|
|
|
- " change_user "
|
|
|
|
|
- " gen_cli "
|
|
|
|
|
- " command_exec "
|
|
|
|
|
- " disable_wdigest "
|
|
|
|
|
- " disable_winrm "
|
|
|
|
|
- " enable_wdigest "
|
|
|
|
|
- " enable_winrm "
|
|
|
|
|
- " registry_mod "
|
|
|
|
|
- " remote_posh "
|
|
|
|
|
- " sched_job "
|
|
|
|
|
- " service_mod "
|
|
|
|
|
- " process_kill "
|
2020-03-30 08:53:52 +02:00
|
|
|
# - " process_start "
|
2020-03-27 15:08:35 +01:00
|
|
|
- " active_users "
|
|
|
|
|
- " basic_info "
|
2020-03-30 08:53:52 +02:00
|
|
|
# - " drive_list "
|
|
|
|
|
# - " installed_programs "
|
2020-03-27 15:08:35 +01:00
|
|
|
- " power_off "
|
|
|
|
|
- " vacant_system "
|
|
|
|
|
- " logon_events "
|
|
|
|
|
condition: selection
|
|
|
|
|
falsepositives:
|
2020-03-30 08:53:52 +02:00
|
|
|
- Administrative scripts that use the same keywords.
|
2020-03-27 15:08:35 +01:00
|
|
|
level: high
|
