WMImplant Hack Tool
Detects parameters used by WMImplant
Sigma rule (View on GitHub)
1title: WMImplant Hack Tool
2id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
3status: test
4description: Detects parameters used by WMImplant
5references:
6 - https://github.com/FortyNorthSecurity/WMImplant
7author: NVISO
8date: 2020-03-26
9modified: 2022-12-25
10tags:
11 - attack.execution
12 - attack.t1047
13 - attack.t1059.001
14logsource:
15 product: windows
16 category: ps_script
17 definition: 'Requirements: Script Block Logging must be enabled'
18detection:
19 selection:
20 ScriptBlockText|contains:
21 - 'WMImplant'
22 - ' change_user '
23 - ' gen_cli '
24 - ' command_exec '
25 - ' disable_wdigest '
26 - ' disable_winrm '
27 - ' enable_wdigest '
28 - ' enable_winrm '
29 - ' registry_mod '
30 - ' remote_posh '
31 - ' sched_job '
32 - ' service_mod '
33 - ' process_kill '
34 # - ' process_start '
35 - ' active_users '
36 - ' basic_info '
37 # - ' drive_list '
38 # - ' installed_programs '
39 - ' power_off '
40 - ' vacant_system '
41 - ' logon_events '
42 condition: selection
43falsepositives:
44 - Administrative scripts that use the same keywords.
45level: high
References
-
This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/rem...
Read More
Related rules
- HTML Help HH.EXE Suspicious Child Process
- HackTool - CrackMapExec Execution
- HackTool - CrackMapExec Execution Patterns
- Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
- Suspicious HH.EXE Execution