Find sigma rule

Attack: Remote Services: Windows Remote Management

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the winrm command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.(Citation: MSDN WMI)

MITRE

Tactic

lateral-movement

technique

T1021.006

Test : Enable Windows Remote Management

OS

windows

Description:

Powershell Enable WinRM

Upon successful execution, powershell will “Enable-PSRemoting” allowing for remote PS access.

Executor

powershell

Sigma Rule

posh_ps_enable_psremoting.yml (id: 991a9744-f2f0-44f2-bd33-9092eba17dc3)
posh_ps_remove_item_path.yml (id: b8af5f36-1361-4ebe-9e76-e36128d947bf)
image_load_wsman_provider_image_load.yml (id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test