Suspicious WSMAN Provider Image Loads

 1title: Suspicious WSMAN Provider Image Loads
 2id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
 3status: test
 4description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
 5references:
 6    - https://twitter.com/chadtilbury/status/1275851297770610688
 7    - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
 8    - https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture
 9    - https://github.com/bohops/WSMan-WinRM
10author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
11date: 2020-06-24
12modified: 2022-10-07
13tags:
14    - attack.execution
15    - attack.t1059.001
16    - attack.lateral-movement
17    - attack.t1021.003
18logsource:
19    category: image_load
20    product: windows
21detection:
22    request_client:
23        - ImageLoaded|endswith:
24              - '\WsmSvc.dll'
25              - '\WsmAuto.dll'
26              - '\Microsoft.WSMan.Management.ni.dll'
27        - OriginalFileName:
28              - 'WsmSvc.dll'
29              - 'WSMANAUTOMATION.DLL'
30              - 'Microsoft.WSMan.Management.dll'
31    respond_server:
32        Image|endswith: '\svchost.exe'
33        OriginalFileName: 'WsmWmiPl.dll'
34    filter_general:
35        Image|endswith:
36            - '\powershell.exe'
37            - 'C:\Windows\System32\sdiagnhost.exe'
38            - 'C:\Windows\System32\services.exe'
39    filter_svchost: # not available in Sysmon data, but Aurora logs
40        CommandLine|contains:
41            - 'svchost.exe -k netsvcs -p -s BITS'
42            - 'svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc'
43            - 'svchost.exe -k NetworkService -p -s Wecsvc'
44            - 'svchost.exe -k netsvcs'
45    filter_mscorsvw: # Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
46        Image|startswith:
47            - 'C:\Windows\Microsoft.NET\Framework64\v'
48            - 'C:\Windows\Microsoft.NET\Framework\v'
49        Image|endswith: '\mscorsvw.exe'
50    filter_svr_2019:
51        Image:
52            - 'C:\Windows\System32\Configure-SMRemoting.exe'
53            - 'C:\Windows\System32\ServerManager.exe'
54    filter_nextron:
55        Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
56    filter_citrix:
57        Image|startswith: 'C:\Program Files\Citrix\'
58    filter_ps_ise:
59        Image|endswith: '\powershell_ise.exe'
60    filter_upgrade:
61        Image|startswith: 'C:\$WINDOWS.~BT\Sources\'
62    svchost:
63        Image|endswith: '\svchost.exe'
64    commandline_null:
65        CommandLine: null
66    condition: ( request_client or respond_server ) and not 1 of filter* and not ( svchost and commandline_null )
67falsepositives:
68    - Unknown
69level: medium

References

• x.com

  
  Read More

• WS-Management COM: Another Approach for WinRM Lateral Movement

  

  Introduction Lateral movement techniques in the wonderful world of enterprise Windows are quite finite.  There are only so many techniques and variations of those techniques that attackers use…

  
  Read More

• Windows Remote Management Architecture - Win32 apps

  

  The Windows Remote Management architecture consists of components on the client and server computers.

  
  Read More

• GitHub - bohops/WSMan-WinRM: A collection of proof-of-concept source code and scripts for executing remote commands over WinRM using the WSMan.Automation COM object

  

  A collection of proof-of-concept source code and scripts for executing remote commands over WinRM using the WSMan.Automation COM object - bohops/WSMan-WinRM

  
  Read More

Related rules

• HackTool - Potential Impacket Lateral Movement Activity
• Potential Remote PowerShell Session Initiated
• Remote LSASS Process Access Through Windows Remote Management
• Remote PowerShell Session (PS Classic)
• Remote PowerShell Session (PS Module)