Techniques
Sample rules
Suspicious Processes Spawned by WinRM
- source: sigma
- technicques:
- t1190
Description
Detects suspicious processes including shells spawnd from WinRM host process
Detection logic
condition: selection
selection:
Image|endswith:
- \cmd.exe
- \sh.exe
- \bash.exe
- \powershell.exe
- \pwsh.exe
- \wsl.exe
- \schtasks.exe
- \certutil.exe
- \whoami.exe
- \bitsadmin.exe
ParentImage|endswith: \wsmprovhost.exe