Suspicious Non PowerShell WSMAN COM Provider

calendar Oct 28, 2023 · attack.execution attack.t1059.001 attack.lateral_movement attack.t1021.003  ·
Share on: linkedin copy

Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.

Sigma rule (View on GitHub)

 1title: Suspicious Non PowerShell WSMAN COM Provider
 2id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7
 3status: test
 4description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
 5references:
 6    - https://twitter.com/chadtilbury/status/1275851297770610688
 7    - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
 8    - https://github.com/bohops/WSMan-WinRM
 9author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
10date: 2020/06/24
11modified: 2023/10/27
12tags:
13    - attack.execution
14    - attack.t1059.001
15    - attack.lateral_movement
16    - attack.t1021.003
17logsource:
18    product: windows
19    service: powershell-classic
20detection:
21    selection:
22        Data|contains: 'ProviderName=WSMan'
23    filter_main_ps:
24        Data|contains:
25            - 'HostApplication=powershell'
26            - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
27            - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
28            # In some cases powershell was invoked with inverted slashes
29            - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
30            - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
31    condition: selection and not 1 of filter_main_*
32falsepositives:
33    - Unknown
34level: medium

References

Related rules

to-top