sigmamediumHunting

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

MITRE ATT&CK

defense-evasion

Detection Query

system_files:
  TargetFilename|endswith:
    - WsmPty.xsl
    - WsmTxt.xsl
in_system_folder:
  TargetFilename|startswith:
    - C:\Windows\System32\
    - C:\Windows\SysWOW64\
condition: system_files and not in_system_folder

Author

Julia Fomina, oscd.community

Created

2020-10-06

Data Sources

windowsFile Events

Platforms

windows

References

https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404

Tags

attack.defense-evasionattack.t1216

Raw Content

title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
id: d353dac0-1b41-46c2-820c-d7d2561fc6ed
related:
    - id: 074e0ded-6ced-4ebd-8b4d-53f55908119d
      type: derived
status: test
description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
references:
    - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
author: Julia Fomina, oscd.community
date: 2020-10-06
modified: 2022-11-28
tags:
    - attack.defense-evasion
    - attack.t1216
logsource:
    product: windows
    category: file_event
detection:
    system_files:
        TargetFilename|endswith:
            - 'WsmPty.xsl'
            - 'WsmTxt.xsl'
    in_system_folder:
        TargetFilename|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: system_files and not in_system_folder
falsepositives:
    - Unlikely
level: medium