title: WinRM Access with Evil-WinRM
id: a197e378-d31b-41c0-9635-cfdf1c1bb423
status: experimental
description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. 
author: frack113
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm
    - https://github.com/Hackplayers/evil-winrm
date: 2022/01/07
logsource:
    category: process_creation
    product: windows
detection:
    selection_mstsc:
        Image|endswith: \ruby.exe
        CommandLine|contains|all:
            - '-i '
            - '-u '
            - '-p '
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium
tags:
    - attack.lateral_movement
    - attack.t1021.006