AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
Sigma rule (View on GitHub)
1title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
2id: 074e0ded-6ced-4ebd-8b4d-53f55908119d
3status: test
4description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
5references:
6 - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
7author: Julia Fomina, oscd.community
8date: 2020/10/06
9modified: 2022/10/09
10tags:
11 - attack.defense_evasion
12 - attack.t1216
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 contains_format_pretty_arg:
18 CommandLine|contains:
19 - 'format:pretty'
20 - 'format:"pretty"'
21 - 'format:"text"'
22 - 'format:text'
23 image_from_system_folder:
24 Image|startswith:
25 - 'C:\Windows\System32\'
26 - 'C:\Windows\SysWOW64\'
27 contains_winrm:
28 CommandLine|contains: 'winrm'
29 condition: contains_winrm and (contains_format_pretty_arg and not image_from_system_folder)
30falsepositives:
31 - Unlikely
32level: medium
References
Related rules
- Remote Code Execute via Winrm.vbs
- Potential Manage-bde.wsf Abuse To Proxy Execution
- DLL Execution Via Register-cimprovider.exe
- Detection of PowerShell Execution via Sqlps.exe
- Devtoolslauncher.exe Executes Specified Binary