attack.t1021.006

Remote LSASS Process Access Through Windows Remote Management

Dec 4, 2023 · attack.credential_access attack.execution attack.t1003.001 attack.t1059.001 attack.lateral_movement attack.t1021.006 attack.s0002 ·

Share on:

Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.

Remote PowerShell Session (PS Classic)

Oct 28, 2023 · attack.execution attack.t1059.001 attack.lateral_movement attack.t1021.006 ·

Share on:

Detects remote PowerShell sessions

OMIGOD HTTP No Authentication RCE

Oct 18, 2023 · attack.privilege_escalation attack.initial_access attack.execution attack.lateral_movement attack.t1068 attack.t1190 attack.t1203 attack.t1021.006 attack.t1210 ·

Share on:

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

Remote PowerShell Session (Network)

Oct 18, 2023 · attack.execution attack.t1059.001 attack.lateral_movement attack.t1021.006 ·

Share on:

Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.

Remote PowerShell Session (PS Module)

May 15, 2023 · attack.execution attack.t1059.001 attack.lateral_movement attack.t1021.006 ·

Share on:

Detects remote PowerShell sessions

Remote PowerShell Session Host Process (WinRM)

Mar 5, 2023 · attack.execution attack.t1059.001 attack.t1021.006 ·

Share on:

Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).

HackTool - WinRM Access Via Evil-WinRM

Feb 13, 2023 · attack.lateral_movement attack.t1021.006 ·

Share on:

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Enable Windows Remote Management

Jan 27, 2023 · attack.lateral_movement attack.t1021.006 ·

Share on:

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

Execute Invoke-command on Remote Host

Jan 27, 2023 · attack.lateral_movement attack.t1021.006 ·

Share on:

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.