AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
Sigma rule (View on GitHub)
1title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
2id: d353dac0-1b41-46c2-820c-d7d2561fc6ed
3related:
4 - id: 074e0ded-6ced-4ebd-8b4d-53f55908119d
5 type: derived
6status: test
7description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
8references:
9 - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
10author: Julia Fomina, oscd.community
11date: 2020/10/06
12modified: 2022/11/28
13tags:
14 - attack.defense_evasion
15 - attack.t1216
16logsource:
17 product: windows
18 category: file_event
19detection:
20 system_files:
21 TargetFilename|endswith:
22 - 'WsmPty.xsl'
23 - 'WsmTxt.xsl'
24 in_system_folder:
25 TargetFilename|startswith:
26 - 'C:\Windows\System32\'
27 - 'C:\Windows\SysWOW64\'
28 condition: system_files and not in_system_folder
29falsepositives:
30 - Unlikely
31level: medium
References
Related rules
- Execution via CL_Invocation.ps1 (2 Lines)
- Execution via CL_Mutexverifiers.ps1 (2 Lines)
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
- Remote Code Execute via Winrm.vbs
- Potential Manage-bde.wsf Abuse To Proxy Execution