Execute Invoke-command on Remote Host
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
Sigma rule (View on GitHub)
1title: Execute Invoke-command on Remote Host
2id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6
3status: test
4description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command
7 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4
8author: frack113
9date: 2022-01-07
10tags:
11 - attack.lateral-movement
12 - attack.t1021.006
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection_cmdlet:
19 ScriptBlockText|contains|all:
20 - 'invoke-command '
21 - ' -ComputerName '
22 condition: selection_cmdlet
23falsepositives:
24 - Legitimate script
25level: medium
References
Related rules
- Enable Windows Remote Management
- HackTool - WinRM Access Via Evil-WinRM
- OMIGOD HTTP No Authentication RCE
- Potential Remote PowerShell Session Initiated
- Remote LSASS Process Access Through Windows Remote Management