Execute Invoke-command on Remote Host

calendar Jan 27, 2023 · attack.lateral_movement attack.t1021.006  ·
Share on: linkedin copy

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

Sigma rule (View on GitHub)

 1title: Execute Invoke-command on Remote Host
 2id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6
 3status: test
 4description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command
 7    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2
 8author: frack113
 9date: 2022/01/07
10tags:
11    - attack.lateral_movement
12    - attack.t1021.006
13logsource:
14    product: windows
15    category: ps_script
16    definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18    selection_cmdlet:
19        ScriptBlockText|contains|all:
20            - 'invoke-command '
21            - ' -ComputerName '
22    condition: selection_cmdlet
23falsepositives:
24    - Legitimate script
25level: medium

References

  • atomic-red-team/atomics/T1021.006/T1021.006.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

    Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team


    Read More

  • Invoke-Command (Microsoft.PowerShell.Core) - PowerShell

    The Invoke-Command cmdlet runs commands on a local or remote computer and returns all output from the commands, including errors. Using a single Invoke-Command command, you can run commands on multiple computers. To run a single command on a remote computer, use the ComputerName parameter. To run a series of related commands that share data, use the New-PSSession cmdlet to create a PSSession (a persistent connection) on the remote computer, and then use the Session parameter of Invoke-Command to run the command in the PSSession. To run a command in a disconnected session, use the InDisconnectedSession parameter. To run a command in a background job, use the AsJob parameter. You can also use Invoke-Command on a local computer to a run script block as a command. PowerShell runs the script block immediately in a child scope of the current scope. Before using Invoke-Command to run commands on a remote computer, read about_Remote. Starting with PowerShell 6.0 you can use Secure Shell (SSH) to establish a connection to and invoke commands on remote computers. SSH must be installed on the local computer and the remote computer must be configured with a PowerShell SSH endpoint. The benefit of an SSH based PowerShell remote session is that it works across multiple platforms (Windows, Linux, macOS). For SSH based session you use the HostName or SSHConnection parameters to specify the remote computer and relevant connection information. For more information about how to set up PowerShell SSH remoting, see PowerShell Remoting Over SSH. Some code samples use splatting to reduce the line length. For more information, see about_Splatting.


    Read More

Related rules

to-top