This analytic looks for the execution of
powershell.exe with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the
Invoke-Command commandlet. Red Teams and adversaries alike may abuse WinRM and
powershell.exe for lateral movement and remote code execution.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2021-11-16
- Author: Mauricio Velazco, Splunk
- ID: ba24cda8-4716-11ec-8009-3e22fbd008af
|T1021||Remote Services||Lateral Movement|
|T1021.006||Windows Remote Management||Lateral Movement|
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Invoke-Command*" AND Processes.process="*-ComputerName*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_filter`
Associated Analytic Story
How To Implement
To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.
Kill Chain Phase
- Lateral Movement
Known False Positives
Administrators may leverage WinRM and
Invoke-Command to start a process on remote systems for system administration or automation use cases. However, this activity is usually limited to a small set of hosts or users.
|45.0||90||50||A process was started on a remote endpoint from $dest by abusing WinRM using PowerShell.exe|
source | version: 1