administrative scripts that use the same keywords.

t1047
t1059
t1059.001
windows
sigma

Techniques

t1047
t1059
t1059.001

Sample rules

WMImplant Hack Tool

source: sigma
technicques:
- t1047
- t1059
- t1059.001

Description

Detects parameters used by WMImplant

Detection logic

condition: selection
selection:
  ScriptBlockText|contains:
  - WMImplant
  - ' change_user '
  - ' gen_cli '
  - ' command_exec '
  - ' disable_wdigest '
  - ' disable_winrm '
  - ' enable_wdigest '
  - ' enable_winrm '
  - ' registry_mod '
  - ' remote_posh '
  - ' sched_job '
  - ' service_mod '
  - ' process_kill '
  - ' active_users '
  - ' basic_info '
  - ' power_off '
  - ' vacant_system '
  - ' logon_events '