rules/windows/process_creation/proc_creation_win_evil_winrm.yml

title: WinRM Access with Evil-WinRM
id: a197e378-d31b-41c0-9635-cfdf1c1bb423
status: experimental
description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. 
author: frack113
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm
    - https://github.com/Hackplayers/evil-winrm
date: 2022/01/07
logsource:
    category: process_creation
    product: windows
detection:
    selection_mstsc:
        Image|endswith: \ruby.exe
        CommandLine|contains|all:
            - '-i '
            - '-u '
            - '-p '
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium
tags:
    - attack.lateral_movement
    - attack.t1021.006
$frack113$ Windows Redcannary 2022-01-08 09:17:56 +01:00			`title: WinRM Access with Evil-WinRM`
			`id: a197e378-d31b-41c0-9635-cfdf1c1bb423`
			`status: experimental`
			`description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.`
			`author: frack113`
			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm`
			`- https://github.com/Hackplayers/evil-winrm`
			`date: 2022/01/07`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection_mstsc:`
			`Image\|endswith: \ruby.exe`
			`CommandLine\|contains\|all:`
			`- '-i '`
			`- '-u '`
			`- '-p '`
			`condition: 1 of selection_*`
			`falsepositives:`
fix: more falsepositives harmonization 2022-03-16 14:39:23 +01:00			`- Unknown`
$frack113$ Windows Redcannary 2022-01-08 09:17:56 +01:00			`level: medium`
			`tags:`
			`- attack.lateral_movement`
			`- attack.t1021.006`