Find sigma rule
Attack: Remote Services: Windows Remote Management
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the winrm
command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.(Citation: MSDN WMI)
MITRE
Tactic
- lateral-movement
technique
- T1021.006
Test : Remote Code Execution with PS Credentials Using Invoke-Command
OS
- windows
Description:
Simulate lateral movement with PowerShell Remoting on the local host.
Upon successful execution, PowerShell will execute whoami
using Invoke-Command
, targeting the
local machine as remote target.
Executor
powershell
Sigma Rule
-
posh_ps_invoke_command_remote.yml (id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6)
-
net_connection_win_susp_remote_powershell_session.yml (id: c539afac-c12a-46ed-b1bd-5a5567c9f045)
-
proc_creation_win_winrm_remote_powershell_session_process.yml (id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8)
-
image_load_wsman_provider_image_load.yml (id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94)
-
posh_pm_alternate_powershell_hosts.yml (id: 64e8e417-c19a-475a-8d19-98ea705394cc)