Skip to main content

Outbound WinRM traffic indicating brute force activity

ID:winrm_brute_force
Data type:IP
Severity:
Low
MITRE ATT&CK:TA0008:T1021.006

Description

AlphaSOC detected outbound traffic patterns consistent with Windows Remote Management (WinRM) brute force attacks, where a system attempts to establish multiple WinRM connections to external hosts. This behavior may indicate that an internal system has been compromised and is being used to discover or gain unauthorized access to other systems.

Impact

Compromised systems conducting WinRM brute force attacks can lead to unauthorized access to external systems, damaging the organization's reputation and potentially resulting in legal liability. Additionally, the compromised internal system could be part of a larger botnet, consuming network resources and potentially triggering blacklisting by internet service providers.

Severity

SeverityCondition
Low
Excessive outbound WinRM traffic

Investigation and Remediation

Investigate the source system for signs of compromise. Isolate affected systems and perform a thorough malware scan.