HackTool - Evil-WinRm Execution - PowerShell Module

Aug 12, 2024 · attack.lateral-movement ·

Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.

Sigma rule (View on GitHub)

 1title: HackTool - Evil-WinRm Execution - PowerShell Module
 2id: 9fe55ea2-4cd6-4491-8a54-dd6871651b51
 3status: experimental
 4description: |
 5        Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.
 6references:
 7    - https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb
 8    - https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2024-02-25
11tags:
12    - attack.lateral-movement
13logsource:
14    product: windows
15    category: ps_module
16detection:
17    selection_wsm:
18        ContextInfo|contains:
19            - ':\Windows\System32\wsmprovhost.exe'
20            - ':\Windows\SysWOW64\wsmprovhost.exe'
21    selection_payload_1:
22        Payload|contains:
23            - value="(get-location).path # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L592
24            - value="(get-item*).length # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L490
25            - 'Invoke-Binary ' # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L740
26            - Donut-Loader -process_id*-donutfile # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L761
27            - Bypass-4MSI
28            - IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($a))).replace('???','')
29    selection_payload_2:
30        Payload|contains|all:
31            - $servicios = Get-ItemProperty "registry::HKLM\System\CurrentControlSet\Services\"
32            - Where-Object {$_.imagepath -notmatch "system" -and $_.imagepath -ne $null } | Select-Object pschildname,imagepath
33    selection_payload_3:
34        Payload|contains|all:
35            - $a +=  \"$($_.FullName.Replace('\\','/'))/\"}else{  $a += \"$($_.FullName.Replace('\\', '/'))\" } # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L1001
36            - $a=@();$
37    condition: selection_wsm and 1 of selection_payload_*
38falsepositives:
39    - Unknown
40level: high

References

evil-winrm/evil-winrm.rb at 7514b055d67ec19836e95c05bd63e7cc47c4c2aa · Hackplayers/evil-winrm

The ultimate WinRM shell for hacking/pentesting. Contribute to Hackplayers/evil-winrm development by creating an account on GitHub.

Read More
Build software better, together

GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to over 420 million projects.

Read More

HackTool - Evil-WinRm Execution - PowerShell Module

Sigma rule (View on GitHub)

References

evil-winrm/evil-winrm.rb at 7514b055d67ec19836e95c05bd63e7cc47c4c2aa · Hackplayers/evil-winrm

Build software better, together

Related rules