Suspicious Non PowerShell WSMAN COM Provider

 1title: Suspicious Non PowerShell WSMAN COM Provider
 2id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7
 3status: test
 4description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
 5references:
 6    - https://twitter.com/chadtilbury/status/1275851297770610688
 7    - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
 8    - https://github.com/bohops/WSMan-WinRM
 9author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
10date: 2020-06-24
11modified: 2024-12-27
12tags:
13    - attack.execution
14    - attack.t1059.001
15    - attack.lateral-movement
16    - attack.t1021.003
17logsource:
18    product: windows
19    service: powershell-classic
20detection:
21    selection:
22        Data|contains: 'ProviderName=WSMan'
23    filter_main_ps:
24        Data|contains:
25            - 'HostApplication=powershell'
26            - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
27            - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
28            # In some cases powershell was invoked with inverted slashes
29            - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
30            - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
31    filter_main_host_application_null:
32        # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
33        # If you're already mapping and extracting the field, then obviously use that directly.
34        Data|re: 'HostId=[a-zA-Z0-9-]{36}\s+EngineVersion='
35    condition: selection and not 1 of filter_main_*
36falsepositives:
37    - Unknown
38level: medium

References

• 

  Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.

  
  Read More

• WS-Management COM: Another Approach for WinRM Lateral Movement

  

  Introduction Lateral movement techniques in the wonderful world of enterprise Windows are quite finite.  There are only so many techniques and variations of those techniques that attackers use…

  
  Read More

• GitHub - bohops/WSMan-WinRM: A collection of proof-of-concept source code and scripts for executing remote commands over WinRM using the WSMan.Automation COM object

  

  A collection of proof-of-concept source code and scripts for executing remote commands over WinRM using the WSMan.Automation COM object - bohops/WSMan-WinRM

  
  Read More

Related rules

• Suspicious WSMAN Provider Image Loads
• HackTool - Potential Impacket Lateral Movement Activity
• Potential Remote PowerShell Session Initiated
• Remote LSASS Process Access Through Windows Remote Management
• Remote PowerShell Session (PS Classic)