-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2014-11-004.yaml
48 lines (47 loc) · 1.59 KB
/
CAR-2014-11-004.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
title: Remote PowerShell Sessions
submission_date: 2014/11/19
information_domain: 'Host, Network'
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- MITRE
id: CAR-2014-11-004
description: |-
According to [ATT&CK](https://attack.mitre.org/), [PowerShell](https://attack.mitre.org/techniques/T1059/001) can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe
For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command `Enter-PSSession -ComputerName \<RemoteHost\>` creates a remote PowerShell session.
coverage:
- technique: T1059
tactics:
- TA0002
subtechniques:
- T1059.001
coverage: Moderate
- technique: T1021
tactics:
- TA0008
subtechniques:
- T1021.006
coverage: Moderate
implementations:
- code: |-
process = search Process:Create
wsmprovhost = filter process where (exe == "wsmprovhost.exe" and parent_exe == "svchost.exe")
type: pseudocode
- description: EQL version of the above pseudocode.
code: |-
process where subtype.create and
(process_name == "wsmprovhost.exe" and parent_process_name == "svchost.exe")
type: EQL
data_model: EQL native
- description: LogPoint version of the above pseudocode.
code: |-
norm_id=WindowsSysmon event_id=1 image="*\wsmprovhost.exe" parent_image="*\svchost.exe"
type: LogPoint
data_model: LogPoint native
data_model_references:
- process/create/exe
- process/create/parent_exe