title: WMImplant Hack Tool
id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
status: test
description: Detects parameters used by WMImplant
references:
    - https://github.com/FortyNorthSecurity/WMImplant
author: NVISO
date: 2020-03-26
modified: 2022-12-25
tags:
    - attack.execution
    - attack.t1047
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'WMImplant'
            - ' change_user '
            - ' gen_cli '
            - ' command_exec '
            - ' disable_wdigest '
            - ' disable_winrm '
            - ' enable_wdigest '
            - ' enable_winrm '
            - ' registry_mod '
            - ' remote_posh '
            - ' sched_job '
            - ' service_mod '
            - ' process_kill '
            # - ' process_start '
            - ' active_users '
            - ' basic_info '
            # - ' drive_list '
            # - ' installed_programs '
            - ' power_off '
            - ' vacant_system '
            - ' logon_events '
    condition: selection
falsepositives:
    - Administrative scripts that use the same keywords.
level: high