Adversaries may be using malicious WsmPty.xsl or WsmTxt.xsl files executed via winrm.vbs to bypass application whitelisting and execute arbitrary code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence mechanisms and evade detection by traditional security controls.
Detection Rule
title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
id: d353dac0-1b41-46c2-820c-d7d2561fc6ed
related:
- id: 074e0ded-6ced-4ebd-8b4d-53f55908119d
type: derived
status: test
description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
references:
- https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
author: Julia Fomina, oscd.community
date: 2020-10-06
modified: 2022-11-28
tags:
- attack.defense-evasion
- attack.t1216
logsource:
product: windows
category: file_event
detection:
system_files:
TargetFilename|endswith:
- 'WsmPty.xsl'
- 'WsmTxt.xsl'
in_system_folder:
TargetFilename|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: system_files and not in_system_folder
falsepositives:
- Unlikely
level: medium
imFileEvent
| where (TargetFileName endswith "WsmPty.xsl" or TargetFileName endswith "WsmTxt.xsl") and (not((TargetFileName startswith "C:\\Windows\\System32\\" or TargetFileName startswith "C:\\Windows\\SysWOW64\\")))Scenario: Scheduled Job Using Winrm.vbs for Remote Management
Description: A legitimate scheduled job uses winrm.vbs to execute remote management tasks, which may trigger the rule due to the presence of winrm.vbs.
Filter/Exclusion: Check the command line arguments for winrm.vbs to ensure it’s used with valid remote management parameters (e.g., -transport:https -proxy), and exclude known system or admin scheduled tasks.
Scenario: Admin Task Using cscript.exe to Run Valid Script
Description: An administrator uses cscript.exe (possibly renamed) to run a legitimate .vbs or .wsf script as part of routine system maintenance.
Filter/Exclusion: Filter based on the script file path (e.g., C:\Windows\System32\*script*.vbs) and check the script content for known benign commands or system utilities.
Scenario: PowerShell Script Using Winrm.vbs for Remote Execution
Description: A PowerShell script uses winrm.vbs to execute commands on remote systems as part of a legitimate DevOps or infrastructure automation process.
Filter/Exclusion: Exclude scripts that are located in known DevOps tooling directories (e.g., C:\Program Files\Azure DevOps\) and verify the script’s origin and integrity.
Scenario: Malicious WsmPty.xsl/WsmTxt.xsl Used in a Legitimate Report Generation
Description: A legitimate report generation tool uses Wsmpyt.xsl or WsmTxt.xsl files to format output, and the rule mistakenly flags these files as malicious.
Filter/Exclusion: Exclude files located in known reporting or document generation directories (e.g., C:\Program Files\Microsoft Office\) and verify the file’s digital signature