Suspicious Non PowerShell WSMAN COM Provider
Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
Sigma rule (View on GitHub)
1title: Suspicious Non PowerShell WSMAN COM Provider
2id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7
3status: test
4description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
5references:
6 - https://twitter.com/chadtilbury/status/1275851297770610688
7 - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
8 - https://github.com/bohops/WSMan-WinRM
9author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
10date: 2020/06/24
11modified: 2023/10/27
12tags:
13 - attack.execution
14 - attack.t1059.001
15 - attack.lateral_movement
16 - attack.t1021.003
17logsource:
18 product: windows
19 service: powershell-classic
20detection:
21 selection:
22 Data|contains: 'ProviderName=WSMan'
23 filter_main_ps:
24 Data|contains:
25 - 'HostApplication=powershell'
26 - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
27 - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
28 # In some cases powershell was invoked with inverted slashes
29 - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
30 - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
31 condition: selection and not 1 of filter_main_*
32falsepositives:
33 - Unknown
34level: medium
References
Related rules
- Suspicious WSMAN Provider Image Loads
- Remote PowerShell Session (PS Classic)
- Remote PowerShell Session (Network)
- Possible Impacket DCOMExec Connection Attempt - Zeek
- Remote PowerShell Session (PS Module)