47 lines
1.0 KiB
YAML
47 lines
1.0 KiB
YAML
|
|
title: WMImplant Hack Tool
|
|
author: NVISO
|
|
date: 2020/03/26
|
|
description: Detects parameters used by WMImplant
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 4104
|
|
SELECTION_2:
|
|
ScriptBlockText:
|
|
- '*WMImplant*'
|
|
- '* change_user *'
|
|
- '* gen_cli *'
|
|
- '* command_exec *'
|
|
- '* disable_wdigest *'
|
|
- '* disable_winrm *'
|
|
- '* enable_wdigest *'
|
|
- '* enable_winrm *'
|
|
- '* registry_mod *'
|
|
- '* remote_posh *'
|
|
- '* sched_job *'
|
|
- '* service_mod *'
|
|
- '* process_kill *'
|
|
- '* active_users *'
|
|
- '* basic_info *'
|
|
- '* power_off *'
|
|
- '* vacant_system *'
|
|
- '* logon_events *'
|
|
condition: (SELECTION_1 and SELECTION_2)
|
|
falsepositives:
|
|
- Administrative scripts that use the same keywords.
|
|
id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
|
|
level: high
|
|
logsource:
|
|
definition: Script block logging must be enabled
|
|
product: windows
|
|
service: powershell
|
|
modified: 2021/08/30
|
|
references:
|
|
- https://github.com/FortyNorthSecurity/WMImplant
|
|
status: experimental
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1047
|
|
- attack.t1059.001
|
|
- attack.t1086
|