Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

HackTool - WinRM Access Via Evil-WinRM

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Fri Jan 07Updated Mon Feb 13a197e378-d31b-41c0-9635-cfdf1c1bb423windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith: '\ruby.exe'
        CommandLine|contains|all:
            - '-i '
            - '-u '
            - '-p '
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
a197e378-d31b-41c0-9635-cfdf1c1bb423
Status
test
Level
medium
Type
Detection
Created
Fri Jan 07
Modified
Mon Feb 13
Author
François Hubaut
Path
rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml
Raw Tags
attack.lateral-movementattack.t1021.006
View on GitHub