security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da07164ce0d651bf72691bac1cfcafbf20249de
blue-team-tools/rules/windows/process_creation/proc_creation_win_evil_winrm.yml
T
frack113 1f8e37351e order yaml
2022-10-28 15:06:36 +02:00

27 lines
901 B
YAML
Raw Blame History

title: WinRM Access with Evil-WinRM
id: a197e378-d31b-41c0-9635-cfdf1c1bb423
status: experimental
description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm
- https://github.com/Hackplayers/evil-winrm
author: frack113
date: 2022/01/07
tags:
- attack.lateral_movement
- attack.t1021.006
logsource:
category: process_creation
product: windows
detection:
selection_mstsc:
Image|endswith: '\ruby.exe'
CommandLine|contains|all:
- '-i '
- '-u '
- '-p '
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink