Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

HackTool - Evil-WinRm Execution - PowerShell Module

Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Sun Feb 259fe55ea2-4cd6-4491-8a54-dd6871651b51windows
Log Source
WindowsPowerShell Module
ProductWindows← raw: windows
CategoryPowerShell Module← raw: ps_module
Detection Logic
Detection Logic4 selectors
detection:
    selection_wsm:
        ContextInfo|contains:
            - ':\Windows\System32\wsmprovhost.exe'
            - ':\Windows\SysWOW64\wsmprovhost.exe'
    selection_payload_1:
        Payload|contains:
            - value="(get-location).path # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L592
            - value="(get-item*).length # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L490
            - 'Invoke-Binary ' # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L740
            - Donut-Loader -process_id*-donutfile # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L761
            - Bypass-4MSI
            - IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($a))).replace('???','')
    selection_payload_2:
        Payload|contains|all:
            - $servicios = Get-ItemProperty "registry::HKLM\System\CurrentControlSet\Services\"
            - Where-Object {$_.imagepath -notmatch "system" -and $_.imagepath -ne $null } | Select-Object pschildname,imagepath
    selection_payload_3:
        Payload|contains|all:
            - $a +=  \"$($_.FullName.Replace('\\','/'))/\"}else{  $a += \"$($_.FullName.Replace('\\', '/'))\" } # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L1001
            - $a=@();$
    condition: selection_wsm and 1 of selection_payload_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
9fe55ea2-4cd6-4491-8a54-dd6871651b51
Status
test
Level
high
Type
Detection
Created
Sun Feb 25
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml
Raw Tags
attack.lateral-movement
View on GitHub