CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f71d5848fee4ffb52c83f10fbf204b3aa5e2bb1b
hayabusa/rules/Sigma/powershell_wmimplant.yml
Tanaka Zakku 50aebce32e Added Sigma Rules
2021-11-14 11:00:56 +09:00

66 lines
2.0 KiB
YAML
Raw Blame History

title: WMImplant Hack Tool
author: NVISO
date: 2020/03/26
description: Detects parameters used by WMImplant
detection:
SELECTION_1:
ScriptBlockText: '*WMImplant*'
SELECTION_10:
ScriptBlockText: '* remote_posh *'
SELECTION_11:
ScriptBlockText: '* sched_job *'
SELECTION_12:
ScriptBlockText: '* service_mod *'
SELECTION_13:
ScriptBlockText: '* process_kill *'
SELECTION_14:
ScriptBlockText: '* active_users *'
SELECTION_15:
ScriptBlockText: '* basic_info *'
SELECTION_16:
ScriptBlockText: '* power_off *'
SELECTION_17:
ScriptBlockText: '* vacant_system *'
SELECTION_18:
ScriptBlockText: '* logon_events *'
SELECTION_2:
ScriptBlockText: '* change_user *'
SELECTION_3:
ScriptBlockText: '* gen_cli *'
SELECTION_4:
ScriptBlockText: '* command_exec *'
SELECTION_5:
ScriptBlockText: '* disable_wdigest *'
SELECTION_6:
ScriptBlockText: '* disable_winrm *'
SELECTION_7:
ScriptBlockText: '* enable_wdigest *'
SELECTION_8:
ScriptBlockText: '* enable_winrm *'
SELECTION_9:
ScriptBlockText: '* registry_mod *'
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
or SELECTION_16 or SELECTION_17 or SELECTION_18)
falsepositives:
- Administrative scripts that use the same keywords.
id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/FortyNorthSecurity/WMImplant
status: experimental
tags:
- attack.execution
- attack.t1047
- attack.t1059.001
- attack.t1086
yml_filename: powershell_wmimplant.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
Reference in New Issue View Git Blame Copy Permalink