-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy pathwinrm_code_exec.yml
More file actions
52 lines (48 loc) · 1.48 KB
/
winrm_code_exec.yml
File metadata and controls
52 lines (48 loc) · 1.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# These two rules detect the Application Whitelisting
# Bypass and Arbitrary Unsigned Code Execution Technique
# in winrm.vbs documented by Matt Graeber here:
# https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
# RULE 1
# In this first part of the rule, we find what looks
# like a process executing with the expected command
# line parameter that would trigger the XSL load.
# If we detect it, we task the agent to send us
# all the events in recent history, which will include
# all file creation.
# Then we set a tag for two minutes essentially
# saying "be on the lookup for the relevant XSL files
# being created".
# ===============================================
# DETECTION
event: NEW_PROCESS
rules:
op: is windows
- path: event/COMMAND_LINE
case sensitive: false
op: matches
re: '.*(\-|/)format\:"?(text|pretty)"?.*'
op: and
# RESPONSE
- action: add tag
tag: possible_winrm
ttl: 120
- action: task
command: history_dump
# RULE 2
# In the second part, we wait to see a sensor with
# the "lookout" tag enabled and a file getting created
# with the relevant names. If we see it we report.
# ===============================================
# DETECTION
event: FILE_CREATE
rules:
- tag: possible_winrm
op: is tagged
- path: event/FILE_PATH
case sensitive: false
re: .*(WsmTxt\.xsl|WsmPty\.xsl)\s*$
op: matches
op: and
# RESPONSE
- action: report
name: possible_winrm_code_exec