security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml
T
Florian Roth b0c2d7b75a fix: tags for WMI / execution / persistence
2021-09-01 16:34:50 +02:00

30 lines
780 B
YAML
Raw Blame History

title: Suspicious Encoded Scripts in a WMI Consumer
id: 83844185-1c5b-45bc-bcf3-b5bf3084ca5b
status: experimental
description: Detects suspicious encoded payloads in WMI Event Consumers
author: Florian Roth
references:
- https://github.com/RiccardoAncarani/LiquidSnake
date: 2021/09/01
tags:
- attack.execution
- attack.t1047
- attack.persistence
- attack.t1546.003
logsource:
product: windows
category: wmi_event
detection:
selection_destination:
Destination|base64offset|contains:
- 'WriteProcessMemory'
- 'This program cannot be run in DOS mode'
- 'This program must be run under Win32'
condition: selection_destination
fields:
- User
- Operation
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink