Find sigma rule
Attack: Remote Services: Windows Remote Management
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the winrm
command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.(Citation: MSDN WMI)
MITRE
Tactic
- lateral-movement
technique
- T1021.006
Test : Enable Windows Remote Management
OS
- windows
Description:
Powershell Enable WinRM
Upon successful execution, powershell will “Enable-PSRemoting” allowing for remote PS access.
Executor
powershell
Sigma Rule
-
posh_ps_enable_psremoting.yml (id: 991a9744-f2f0-44f2-bd33-9092eba17dc3)
-
posh_ps_remove_item_path.yml (id: b8af5f36-1361-4ebe-9e76-e36128d947bf)
-
image_load_wsman_provider_image_load.yml (id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94)