Remote Code Execute via Winrm.vbs
Detects an attempt to execute code or create service on remote host via winrm.vbs.
Sigma rule (View on GitHub)
1title: Remote Code Execute via Winrm.vbs
2id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0
3status: test
4description: Detects an attempt to execute code or create service on remote host via winrm.vbs.
5references:
6 - https://twitter.com/bohops/status/994405551751815170
7 - https://redcanary.com/blog/lateral-movement-winrm-wmi/
8 - https://lolbas-project.github.io/lolbas/Scripts/Winrm/
9author: Julia Fomina, oscd.community
10date: 2020/10/07
11modified: 2023/03/03
12tags:
13 - attack.defense_evasion
14 - attack.t1216
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 # Note: winrm.vbs can only be run by a process named cscript (see "IsCScriptEnv" function)
21 - Image|endswith: '\cscript.exe'
22 - OriginalFileName: 'cscript.exe'
23 selection_cli:
24 CommandLine|contains|all:
25 - 'winrm'
26 - 'invoke Create wmicimv2/Win32_'
27 - '-r:http'
28 condition: all of selection*
29falsepositives:
30 - Unknown
31level: medium
References
-
-
Attackers frequently move laterally with tools included in Windows. Go behind the scenes of an attack using WinRM and WMI.
Read More -
Bypass AWL solutions by copying cscript.exe to an attacker-controlled location; creating a malicious WsmPty.xsl in the same location, and executing winrm.vbs via the relocated cscript.exe. %SystemD...
Read More
Related rules
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
- Potential Manage-bde.wsf Abuse To Proxy Execution
- DLL Execution Via Register-cimprovider.exe
- Detection of PowerShell Execution via Sqlps.exe
- Devtoolslauncher.exe Executes Specified Binary