HackTool - WinRM Access Via Evil-WinRM
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Sigma rule (View on GitHub)
1title: HackTool - WinRM Access Via Evil-WinRM
2id: a197e378-d31b-41c0-9635-cfdf1c1bb423
3status: test
4description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm
7 - https://github.com/Hackplayers/evil-winrm
8author: frack113
9date: 2022/01/07
10modified: 2023/02/13
11tags:
12 - attack.lateral_movement
13 - attack.t1021.006
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_mstsc:
19 Image|endswith: '\ruby.exe'
20 CommandLine|contains|all:
21 - '-i '
22 - '-u '
23 - '-p '
24 condition: 1 of selection_*
25falsepositives:
26 - Unknown
27level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
The ultimate WinRM shell for hacking/pentesting. Contribute to Hackplayers/evil-winrm development by creating an account on GitHub.
Read More
Related rules
- Enable Windows Remote Management
- Execute Invoke-command on Remote Host
- DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
- Protected Storage Service Access
- Wmiprvse Wbemcomn DLL Hijack