Find sigma rule

Attack: Remote Services: Windows Remote Management

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the winrm command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.(Citation: MSDN WMI)

MITRE

Tactic

lateral-movement

technique

T1021.006

Test : Remote Code Execution with PS Credentials Using Invoke-Command

OS

windows

Description:

Simulate lateral movement with PowerShell Remoting on the local host. Upon successful execution, PowerShell will execute whoami using Invoke-Command, targeting the local machine as remote target.

Executor

powershell

Sigma Rule

posh_ps_invoke_command_remote.yml (id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6)
net_connection_win_susp_remote_powershell_session.yml (id: c539afac-c12a-46ed-b1bd-5a5567c9f045)
proc_creation_win_winrm_remote_powershell_session_process.yml (id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8)
image_load_wsman_provider_image_load.yml (id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94)
posh_pm_alternate_powershell_hosts.yml (id: 64e8e417-c19a-475a-8d19-98ea705394cc)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test