-
Notifications
You must be signed in to change notification settings - Fork 326
/
CAR-2014-11-006.yaml
36 lines (36 loc) · 1.52 KB
/
CAR-2014-11-006.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
---
title: Windows Remote Management (WinRM)
submission_date: 2014/11/19
information_domain: 'Host, Network'
platforms:
- Windows
subtypes:
- Network
- Netflow
analytic_types:
- Situational Awareness
contributors:
- MITRE
id: CAR-2014-11-006
description: 'When a [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) connection is opened, the client sends HTTP requests to port 5985 for HTTP or 5986 for HTTPS on the target host. Each HTTP(S) request to the URI "/wsman" is called, and other information is set in the headers. Depending on the operation, the HTTP method may vary (i.e., GET, POST, etc.). This analytic would detect Remote PowerShell, as well as other communications that rely on WinRM. Additionally, it outputs the executable on the client host, the connection information, and the hostname of the target host.'
coverage:
- technique: T1021
tactics:
- TA0008
subtechniques:
- T1021.006
coverage: Moderate
implementations:
- description: 'Look for network connections to port 5985 and 5986. To really decipher what is going on, these outputs should be fed into something that can do packet analysis.'
code: |
flow = search Flow:Start
winrm = filter flow where (dest_port == 5985)
winrm_s = filter flow where (dest_port == 5986)
output winrm, winrm_s
type: pseudocode
data_model_references:
- flow/start/dest_port
d3fend_mappings:
- iri: d3f:AdministrativeNetworkActivityAnalysis
id: D3-ANAA
label: Administrative Network Activity Analysis