Suspicious Processes Spawned by WinRM
Detects suspicious processes including shells spawnd from WinRM host process
Sigma rule (View on GitHub)
1title: Suspicious Processes Spawned by WinRM
2id: 5cc2cda8-f261-4d88-a2de-e9e193c86716
3status: test
4description: Detects suspicious processes including shells spawnd from WinRM host process
5author: Andreas Hunkeler (@Karneades), Markus Neis
6references:
7 - Internal Research
8date: 2021/05/20
9modified: 2022/07/14
10tags:
11 - attack.t1190
12 - attack.initial_access
13 - attack.persistence
14 - attack.privilege_escalation
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage|endswith: '\wsmprovhost.exe'
21 Image|endswith:
22 - '\cmd.exe'
23 - '\sh.exe'
24 - '\bash.exe'
25 - '\powershell.exe'
26 - '\pwsh.exe'
27 - '\wsl.exe'
28 - '\schtasks.exe'
29 - '\certutil.exe'
30 - '\whoami.exe'
31 - '\bitsadmin.exe'
32 condition: selection
33falsepositives:
34 - Legitimate WinRM usage
35level: high
References
Related rules
- Shell Process Spawned by Java.EXE
- Suspicious Processes Spawned by Java.EXE
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- Huawei BGP Authentication Failures