title: Remote Code Execute via Winrm.vbs
author: Julia Fomina, oscd.community
date: 2020/10/07
description: Detects an attempt to execute code or create service on remote host via
  winrm.vbs.
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*\cscript.exe'
  SELECTION_3:
    CommandLine: '*winrm*'
  SELECTION_4:
    CommandLine: '*invoke Create wmicimv2/Win32_*'
  SELECTION_5:
    CommandLine: '*-r:http*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Legitimate use for administartive purposes. Unlikely
id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0
level: medium
logsource:
  category: process_creation
  product: windows
references:
- https://twitter.com/bohops/status/994405551751815170
- https://redcanary.com/blog/lateral-movement-winrm-wmi/
status: experimental
tags:
- attack.defense_evasion
- attack.t1216