security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
01dc930c173e329c191245b76f05de5fa4b5da21
blue-team-tools/rules/windows/process_creation/win_susp_winrm_execution.yml
T
frack113 01dc930c17 Change status for old rules
2021-11-27 11:33:14 +01:00

29 lines
777 B
YAML
Raw Blame History

title: Remote Code Execute via Winrm.vbs
id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0
status: test
description: Detects an attempt to execute code or create service on remote host via winrm.vbs.
author: Julia Fomina, oscd.community
references:
- https://twitter.com/bohops/status/994405551751815170
- https://redcanary.com/blog/lateral-movement-winrm-wmi/
date: 2020/10/07
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cscript.exe'
CommandLine|contains|all:
- 'winrm'
- 'invoke Create wmicimv2/Win32_'
- '-r:http'
condition: selection
falsepositives:
- Legitimate use for administartive purposes. Unlikely
level: medium
tags:
- attack.defense_evasion
- attack.t1216
Reference in New Issue View Git Blame Copy Permalink