security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml
T
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag
2023-02-01 11:14:59 +01:00

31 lines
811 B
YAML
Raw Blame History

title: Suspicious Encoded Scripts in a WMI Consumer
id: 83844185-1c5b-45bc-bcf3-b5bf3084ca5b
status: test
description: Detects suspicious encoded payloads in WMI Event Consumers
references:
- https://github.com/RiccardoAncarani/LiquidSnake
author: Florian Roth (Nextron Systems)
date: 2021/09/01
modified: 2022/10/09
tags:
- attack.execution
- attack.t1047
- attack.persistence
- attack.t1546.003
logsource:
product: windows
category: wmi_event
detection:
selection_destination:
Destination|base64offset|contains:
- 'WriteProcessMemory'
- 'This program cannot be run in DOS mode'
- 'This program must be run under Win32'
condition: selection_destination
fields:
- User
- Operation
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink