Max Altgelt
6f05e33feb
Correct a number of rules where message or keyword were incorrectly used as field names in events (typically windows event logs). However, neither field actually exists and as such these strings could never match.
29 lines
897 B
YAML
29 lines
897 B
YAML
title: Suspicious Non PowerShell WSMAN COM Provider
|
|
id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7
|
|
description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
|
|
status: experimental
|
|
date: 2020/06/24
|
|
modified: 2021/05/21
|
|
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
- attack.lateral_movement
|
|
- attack.t1021.003
|
|
references:
|
|
- https://twitter.com/chadtilbury/status/1275851297770610688
|
|
- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
|
|
- https://github.com/bohops/WSMan-WinRM
|
|
logsource:
|
|
product: windows
|
|
service: powershell
|
|
detection:
|
|
selection:
|
|
- 'ProviderName=WSMan'
|
|
filter:
|
|
- 'HostApplication=*powershell'
|
|
condition: selection and not filter
|
|
falsepositives:
|
|
- Unknown
|
|
level: medium
|