A PowerShell based tool that is designed to act like a RAT

Hunt Hypothesis

A PowerShell-based tool mimicking a RAT may indicate initial compromise or command and control activity, suggesting potential lateral movement or data exfiltration. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage threats before they escalate in an Azure Sentinel environment.

YARA Rule

rule hacktool_windows_wmi_implant
{
    meta:
        description = "A PowerShell based tool that is designed to act like a RAT"
        reference = "https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html"
        author = "@fusionrace"
        id = "b32996b2-1706-5af5-ad81-f73d5899c70c"
    strings:
        $s1 = "This really isn't applicable unless you are using WMImplant interactively." fullword ascii wide
        $s2 = "What command do you want to run on the remote system? >" fullword ascii wide
        $s3 = "Do you want to [create] or [delete] a string registry value? >" fullword ascii wide
        $s4 = "Do you want to run a WMImplant against a list of computers from a file? [yes] or [no] >" fullword ascii wide
        $s5 = "What is the name of the service you are targeting? >" fullword ascii wide
        $s6 = "This function enables the user to upload or download files to/from the attacking machine to/from the targeted machine" fullword ascii wide
        $s7 = "gen_cli - Generate the CLI command to execute a command via WMImplant" fullword ascii wide
        $s8 = "exit - Exit WMImplant" fullword ascii wide
        $s9 = "Lateral Movement Facilitation" fullword ascii wide
        $s10 = "vacant_system - Determine if a user is away from the system." fullword ascii wide
        $s11 = "Please provide the ProcessID or ProcessName flag to specify the process to kill!" fullword ascii wide
    condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 11 string patterns in its detection logic.

References

• https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to remotely manage a server via PowerShell Remoting (e.g., Invoke-Command).

  • Filter/Exclusion: Check for Invoke-Command or Enter-PSSession in the command line, or filter by the user account (e.g., Administrators group).

• Scenario: A scheduled job is configured to run a legitimate PowerShell script that performs system maintenance (e.g., log cleanup or patch deployment).

  • Filter/Exclusion: Filter by job name or script path (e.g., C:\Windows\System32\logclean.ps1), or check for known legitimate script signatures.

• Scenario: An IT support tool like PsExec or PSTools is used to execute commands on remote machines.

  • Filter/Exclusion: Exclude commands or processes associated with PSTools (e.g., psexec.exe, psexec.exe), or filter by known IT tool paths.

• Scenario: A third-party monitoring tool (e.g., SolarWinds or Nagios) uses PowerShell scripts to gather system metrics.

  • Filter/Exclusion: Filter by known monitoring tool paths or process names (e.g., SolarWindsOrion.exe, nagios.exe), or check for specific metric-gathering commands.

• Scenario: A Windows Update or Group Policy deployment script is executed via PowerShell to configure settings across the enterprise.

  • Filter/Exclusion: Filter by script names or paths associated with Windows Update (e.g., C:\Windows\System32\wuauclt.exe), or check for GroupPolicy or Update keywords in the command.