← Back to Explore
sigmahighHunting
WMImplant Hack Tool
Detects parameters used by WMImplant
Detection Query
selection:
ScriptBlockText|contains:
- WMImplant
- " change_user "
- " gen_cli "
- " command_exec "
- " disable_wdigest "
- " disable_winrm "
- " enable_wdigest "
- " enable_winrm "
- " registry_mod "
- " remote_posh "
- " sched_job "
- " service_mod "
- " process_kill "
- " active_users "
- " basic_info "
- " power_off "
- " vacant_system "
- " logon_events "
condition: selection
Author
NVISO
Created
2020-03-26
Data Sources
windowsps_script
Platforms
windows
Tags
attack.executionattack.t1047attack.t1059.001
Raw Content
title: WMImplant Hack Tool
id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
status: test
description: Detects parameters used by WMImplant
references:
- https://github.com/FortyNorthSecurity/WMImplant
author: NVISO
date: 2020-03-26
modified: 2022-12-25
tags:
- attack.execution
- attack.t1047
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'WMImplant'
- ' change_user '
- ' gen_cli '
- ' command_exec '
- ' disable_wdigest '
- ' disable_winrm '
- ' enable_wdigest '
- ' enable_winrm '
- ' registry_mod '
- ' remote_posh '
- ' sched_job '
- ' service_mod '
- ' process_kill '
# - ' process_start '
- ' active_users '
- ' basic_info '
# - ' drive_list '
# - ' installed_programs '
- ' power_off '
- ' vacant_system '
- ' logon_events '
condition: selection
falsepositives:
- Administrative scripts that use the same keywords.
level: high