2020-03-27 15:08:35 +01:00
|
|
|
title: WMImplant Hack Tool
|
|
|
|
|
id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
|
|
|
|
|
status: experimental
|
|
|
|
|
description: Detects parameters used by WMImplant
|
|
|
|
|
references:
|
|
|
|
|
- https://github.com/FortyNorthSecurity/WMImplant
|
|
|
|
|
tags:
|
|
|
|
|
- attack.execution
|
|
|
|
|
- attack.t1047
|
2020-08-25 23:51:22 +00:00
|
|
|
- attack.t1059.001
|
2020-03-27 15:08:35 +01:00
|
|
|
author: NVISO
|
|
|
|
|
date: 2020/03/26
|
2021-10-16 08:18:49 +02:00
|
|
|
modified: 2021/10/16
|
2020-03-27 15:08:35 +01:00
|
|
|
logsource:
|
|
|
|
|
product: windows
|
2021-10-16 08:18:49 +02:00
|
|
|
category: ps_script
|
2021-08-21 09:50:59 +02:00
|
|
|
definition: Script block logging must be enabled
|
2020-03-27 15:08:35 +01:00
|
|
|
detection:
|
|
|
|
|
selection:
|
|
|
|
|
ScriptBlockText|contains:
|
2022-01-06 14:02:35 +01:00
|
|
|
- 'WMImplant'
|
|
|
|
|
- ' change_user '
|
|
|
|
|
- ' gen_cli '
|
|
|
|
|
- ' command_exec '
|
|
|
|
|
- ' disable_wdigest '
|
|
|
|
|
- ' disable_winrm '
|
|
|
|
|
- ' enable_wdigest '
|
|
|
|
|
- ' enable_winrm '
|
|
|
|
|
- ' registry_mod '
|
|
|
|
|
- ' remote_posh '
|
|
|
|
|
- ' sched_job '
|
|
|
|
|
- ' service_mod '
|
|
|
|
|
- ' process_kill '
|
|
|
|
|
# - ' process_start '
|
|
|
|
|
- ' active_users '
|
|
|
|
|
- ' basic_info '
|
|
|
|
|
# - ' drive_list '
|
|
|
|
|
# - ' installed_programs '
|
|
|
|
|
- ' power_off '
|
|
|
|
|
- ' vacant_system '
|
|
|
|
|
- ' logon_events '
|
2020-03-27 15:08:35 +01:00
|
|
|
condition: selection
|
|
|
|
|
falsepositives:
|
2020-03-30 08:53:52 +02:00
|
|
|
- Administrative scripts that use the same keywords.
|
2020-03-27 15:08:35 +01:00
|
|
|
level: high
|
