Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Julia Fomina, oscd.communityCreated Tue Oct 06Updated Mon Nov 28d353dac0-1b41-46c2-820c-d7d2561fc6edwindows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic2 selectors
detection:
    system_files:
        TargetFilename|endswith:
            - 'WsmPty.xsl'
            - 'WsmTxt.xsl'
    in_system_folder:
        TargetFilename|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: system_files and not in_system_folder
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
posts.specterops.io
MITRE ATT&CK
Related Rules
DerivedDetectionmedium

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
d353dac0-1b41-46c2-820c-d7d2561fc6ed
Status
test
Level
medium
Type
Detection
Created
Tue Oct 06
Modified
Mon Nov 28
Author
Julia Fomina, oscd.community
Path
rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml
Raw Tags
attack.defense-evasionattack.t1216
View on GitHub