Suspicious Processes Spawned by WinRM

Hunt Hypothesis

Detects suspicious processes including shells spawnd from WinRM host process

Detection Rule

Sigma (Original)

title: Suspicious Processes Spawned by WinRM
id: 5cc2cda8-f261-4d88-a2de-e9e193c86716
status: test
description: Detects suspicious processes including shells spawnd from WinRM host process
author: Andreas Hunkeler (@Karneades), Markus Neis
references:
    - Internal Research
date: 2021-05-20
modified: 2022-07-14
tags:
    - attack.t1190
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\wsmprovhost.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\sh.exe'
            - '\bash.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wsl.exe'
            - '\schtasks.exe'
            - '\certutil.exe'
            - '\whoami.exe'
            - '\bitsadmin.exe'
    condition: selection
falsepositives:
    - Legitimate WinRM usage
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (ParentProcessName endswith "\\wsmprovhost.exe" or ActingProcessName endswith "\\wsmprovhost.exe") and (TargetProcessName endswith "\\cmd.exe" or TargetProcessName endswith "\\sh.exe" or TargetProcessName endswith "\\bash.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\wsl.exe" or TargetProcessName endswith "\\schtasks.exe" or TargetProcessName endswith "\\certutil.exe" or TargetProcessName endswith "\\whoami.exe" or TargetProcessName endswith "\\bitsadmin.exe")

Required Data Sources

False Positive Guidance

• Legitimate WinRM usage

MITRE ATT&CK Context

• Tactic: Initial Access
• Tactic: Persistence
• Tactic: Privilege Escalation
• Technique: T1190 — T1190

References

• Internal Research
• SigmaHQ Rule