Hide Navigation Hide TOC

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl (074e0ded-6ced-4ebd-8b4d-53f55908119d)

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe)	Attack Pattern	AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl (074e0ded-6ced-4ebd-8b4d-53f55908119d)	Sigma-Rules	1