eric-forte-elastic
55 lines
1.6 KiB
Python
55 lines
1.6 KiB
Python
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
# or more contributor license agreements. Licensed under the Elastic License
|
|
# 2.0; you may not use this file except in compliance with the Elastic License
|
|
# 2.0.
|
|
|
|
# Name: Suspicious WMIC script execution
|
|
# RTA: suspicious_wmic_script.py
|
|
# Description: Uses the WMI command-line utility to execute built-in Windows commands which are unusual or unexpected.
|
|
# Reference: https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html
|
|
import os
|
|
|
|
from . import common
|
|
from . import RtaMetadata
|
|
|
|
|
|
metadata = RtaMetadata(
|
|
uuid="16b3d9c6-e188-49c5-8dce-d3eb5b0fcf91",
|
|
platforms=["windows"],
|
|
endpoint=[],
|
|
siem=[{"rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", "rule_name": "Suspicious WMIC XSL Script Execution"}],
|
|
techniques=["T1220"],
|
|
)
|
|
|
|
|
|
xsl_file = "test.xsl"
|
|
xsl_content = """<?xml version='1.0'?>
|
|
<stylesheet
|
|
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
|
|
xmlns:user="placeholder"
|
|
version="1.0">
|
|
<output method="text"/>
|
|
<ms:script implements-prefix="user" language="JScript">
|
|
<![CDATA[
|
|
var r = new ActiveXObject("WScript.Shell").Run("ipconfig.exe");
|
|
]]> </ms:script>
|
|
</stylesheet>
|
|
"""
|
|
|
|
|
|
@common.requires_os(*metadata.platforms)
|
|
def main():
|
|
common.log("Executing suspicious WMIC script")
|
|
|
|
with open(xsl_file, "w") as f:
|
|
f.write(xsl_content)
|
|
|
|
# Many variations on this command. For example, -format:, / format : , etc
|
|
common.execute(["wmic.exe", "os", "get", "/format:" + xsl_file])
|
|
|
|
os.remove(xsl_file)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
exit(main())
|