Remote Process Instantiation via WinRM and PowerShell Script Block
Description
The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the Invoke-Command
commandlet. Red Teams and adversaries alike may abuse WinRM for lateral movement and remote code execution.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2022-03-22
- Author: Mauricio Velazco, Splunk
- ID: 7d4c618e-4716-11ec-951c-3e22fbd008af
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
`powershell` EventCode=4104 (ScriptBlockText="*Invoke-Command*" AND ScriptBlockText="*-ComputerName*")
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `remote_process_instantiation_via_winrm_and_powershell_script_block_filter`
Macros
The SPL above uses the following Macros:
remote_process_instantiation_via_winrm_and_powershell_script_block_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- ScriptBlockText
- Opcode
- Computer
- UserID
- EventCode
How To Implement
To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
Known False Positives
Administrators may leverage WinRM and Invoke-Command
to start a process on remote systems for system administration or automation use cases. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
45.0 | 90 | 50 | A process was started on a remote endpoint from $Computer$ by abusing WinRM using PowerShell.exe |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://attack.mitre.org/techniques/T1021/006/
- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2