HackTool - Evil-WinRm Execution - PowerShell Module

Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.

Sigma rule (View on GitHub)

 1title: HackTool - Evil-WinRm Execution - PowerShell Module
 2id: 9fe55ea2-4cd6-4491-8a54-dd6871651b51
 3status: experimental
 4description: |
 5        Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.
 6references:
 7    - https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb
 8    - https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2024/02/25
11tags:
12    - attack.lateral_movement
13logsource:
14    product: windows
15    category: ps_module
16detection:
17    selection_wsm:
18        ContextInfo|contains:
19            - ':\Windows\System32\wsmprovhost.exe'
20            - ':\Windows\SysWOW64\wsmprovhost.exe'
21    selection_payload_1:
22        Payload|contains:
23            - value="(get-location).path # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L592
24            - value="(get-item*).length # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L490
25            - 'Invoke-Binary ' # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L740
26            - Donut-Loader -process_id*-donutfile # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L761
27            - Bypass-4MSI
28            - IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($a))).replace('???','')
29    selection_payload_2:
30        Payload|contains|all:
31            - $servicios = Get-ItemProperty "registry::HKLM\System\CurrentControlSet\Services\"
32            - Where-Object {$_.imagepath -notmatch "system" -and $_.imagepath -ne $null } | Select-Object pschildname,imagepath
33    selection_payload_3:
34        Payload|contains|all:
35            - $a +=  \"$($_.FullName.Replace('\\','/'))/\"}else{  $a += \"$($_.FullName.Replace('\\', '/'))\" } # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L1001
36            - $a=@();$
37    condition: selection_wsm and 1 of selection_payload_*
38falsepositives:
39    - Unknown
40level: high

References

Related rules

to-top