35 lines
1.0 KiB
YAML
35 lines
1.0 KiB
YAML
title: Remote Code Execute via Winrm.vbs
|
|
author: Julia Fomina, oscd.community
|
|
date: 2020/10/07
|
|
description: Detects an attempt to execute code or create service on remote host via
|
|
winrm.vbs.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
Image: '*\cscript.exe'
|
|
SELECTION_3:
|
|
CommandLine: '*winrm*'
|
|
SELECTION_4:
|
|
CommandLine: '*invoke Create wmicimv2/Win32_*'
|
|
SELECTION_5:
|
|
CommandLine: '*-r:http*'
|
|
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
|
|
falsepositives:
|
|
- Legitimate use for administartive purposes. Unlikely
|
|
id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0
|
|
level: medium
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
references:
|
|
- https://twitter.com/bohops/status/994405551751815170
|
|
- https://redcanary.com/blog/lateral-movement-winrm-wmi/
|
|
status: experimental
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1216
|
|
yml_filename: win_susp_winrm_execution.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
|
|
|