← Back to Explore
sigmamediumHunting
Remote Code Execute via Winrm.vbs
Detects an attempt to execute code or create service on remote host via winrm.vbs.
Detection Query
selection_img:
- Image|endswith: \cscript.exe
- OriginalFileName: cscript.exe
selection_cli:
CommandLine|contains|all:
- winrm
- invoke Create wmicimv2/Win32_
- -r:http
condition: all of selection*
Author
Julia Fomina, oscd.community
Created
2020-10-07
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1216
Raw Content
title: Remote Code Execute via Winrm.vbs
id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0
status: test
description: Detects an attempt to execute code or create service on remote host via winrm.vbs.
references:
- https://twitter.com/bohops/status/994405551751815170
- https://redcanary.com/blog/lateral-movement-winrm-wmi/
- https://lolbas-project.github.io/lolbas/Scripts/Winrm/
author: Julia Fomina, oscd.community
date: 2020-10-07
modified: 2023-03-03
tags:
- attack.defense-evasion
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection_img:
# Note: winrm.vbs can only be run by a process named cscript (see "IsCScriptEnv" function)
- Image|endswith: '\cscript.exe'
- OriginalFileName: 'cscript.exe'
selection_cli:
CommandLine|contains|all:
- 'winrm'
- 'invoke Create wmicimv2/Win32_'
- '-r:http'
condition: all of selection*
falsepositives:
- Unknown
level: medium