Suspicious Processes Spawned by WinRM
Detects suspicious processes including shells spawnd from WinRM host process
Sigma rule (View on GitHub)
1title: Suspicious Processes Spawned by WinRM
2id: 5cc2cda8-f261-4d88-a2de-e9e193c86716
3status: test
4description: Detects suspicious processes including shells spawnd from WinRM host process
5author: Andreas Hunkeler (@Karneades), Markus Neis
6references:
7 - Internal Research
8date: 2021-05-20
9modified: 2022-07-14
10tags:
11 - attack.t1190
12 - attack.initial-access
13 - attack.persistence
14 - attack.privilege-escalation
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage|endswith: '\wsmprovhost.exe'
21 Image|endswith:
22 - '\cmd.exe'
23 - '\sh.exe'
24 - '\bash.exe'
25 - '\powershell.exe'
26 - '\pwsh.exe'
27 - '\wsl.exe'
28 - '\schtasks.exe'
29 - '\certutil.exe'
30 - '\whoami.exe'
31 - '\bitsadmin.exe'
32 condition: selection
33falsepositives:
34 - Legitimate WinRM usage
35level: high
References
Related rules
- Suspicious Child Process Of SQL Server
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow