Detect Unknown process launched via WinRM
Detect Unkown Process Launched Via Win RM
Query
DeviceProcessEvents
| where InitiatingProcessFileName contains "wsmprovhost.exe"
| invoke FileProfile(SHA1)
| where GlobalPrevalence < 1000
| join kind=leftouter (
DeviceNetworkEvents
| where ActionType == "InboundConnectionAccepted"
| where LocalPort in ("5985", "5986")
| distinct RemoteIP, DeviceId
) on DeviceId
| project-away DeviceId1About this query
Detect Unknown process launched via WinRM
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1021.006 | Remote Services: Windows Remote Management | https://attack.mitre.org/techniques/T1021/006/ |
Description
When an unknown process is being launched from the WinRM service on a server, this might indicate a malicious actor spreading malware on various servers via the WinRM protocol.
Risk
This detection tries to detect malware being dropped over the WinRM protocol.
Author <Optional>
- Name: Robbe Van den Daele
- Github: https://github.com/RobbeVandenDaele
- Twitter: https://x.com/RobbeVdDaele
- LinkedIn: https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- Website: https://hybridbrothers.com/
References
Defender XDR
Explanation
This query is designed to detect potentially malicious activity on a network by identifying unknown processes launched via Windows Remote Management (WinRM). Here's a simplified breakdown of what the query does:
-
Data Source: The query analyzes data from
DeviceProcessEvents, which logs process-related activities on devices. -
Filter for WinRM Processes: It specifically looks for processes initiated by
wsmprovhost.exe, which is associated with WinRM. -
Check Process Prevalence: It uses a function
FileProfile(SHA1)to check the global prevalence of these processes. If a process has been seen less than 1000 times globally, it is considered uncommon or unknown, which could indicate a potential threat. -
Network Connection Check: The query then looks at
DeviceNetworkEventsto find any inbound network connections on ports 5985 or 5986, which are standard ports for WinRM. It filters for events where a connection was accepted. -
Join Data: It joins the process data with the network event data based on the device ID to correlate processes with network activity.
-
Output: Finally, it removes duplicate device IDs from the results to clean up the output.
In essence, this query aims to identify unusual processes that are initiated through WinRM, which could be indicative of malware spreading across servers using this protocol.
