Skip to content

Hide Navigation Hide TOC

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File (d353dac0-1b41-46c2-820c-d7d2561fc6ed)

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

Cluster A Galaxy A Cluster B Galaxy B Level
System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe) Attack Pattern AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File (d353dac0-1b41-46c2-820c-d7d2561fc6ed) Sigma-Rules 1