LoFP / administrators may leverage winrm and `invoke-command` to start a process on remote systems for system administration or automation use cases. this activity is usually limited to a small set of hosts or users. in certain environments, tuning may not be possible.

• T1021
• T1021.006

Sample rules

Remote Process Instantiation via WinRM and PowerShell Script Block

• source: splunk
• technicques:
  • T1021
  • T1021.006

Description

The following analytic detects the execution of PowerShell commands that use the Invoke-Command cmdlet to start a process on a remote endpoint via the WinRM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify such activities. This behavior is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this activity could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.

Detection logic

`powershell` EventCode=4104 (ScriptBlockText="*Invoke-Command*" AND ScriptBlockText="*-ComputerName*") 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `remote_process_instantiation_via_winrm_and_powershell_script_block_filter`

Remote Process Instantiation via WinRM and PowerShell

• source: splunk
• technicques:
  • T1021
  • T1021.006

Description

The following analytic detects the execution of powershell.exe with arguments used to start a process on a remote endpoint via the WinRM protocol, specifically targeting the Invoke-Command cmdlet. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and lateral spread within the network.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Invoke-Command*" AND Processes.process="*-ComputerName*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `remote_process_instantiation_via_winrm_and_powershell_filter`