Find sigma rule
Attack: Remote Services: Windows Remote Management
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the winrm
command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.(Citation: MSDN WMI)
MITRE
Tactic
- lateral-movement
technique
- T1021.006
Test : WinRM Access with Evil-WinRM
OS
- windows
Description:
An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled
Executor
powershell
Sigma Rule
- proc_creation_win_hktl_evil_winrm.yml (id: a197e378-d31b-41c0-9635-cfdf1c1bb423)