heroui logo

Windows Remote Host Computer Management Access

Splunk Security Content

View Source
Summary
The detection rule identifies the execution of `mmc.exe` with the `compmgmt.msc` argument to access Computer Management for remote systems, a method that, while legitimate for administrative tasks, can be exploited by attackers for reconnaissance, escalating privileges, or maintaining persistence on a network. This rule focuses on monitoring for such instances where an administrator might connect to a remote machine without using full remote desktop protocols, thus providing a potential avenue for unauthorized actions. Using Sysmon EventID 1 and Windows Event Log Security Event 4688 as data sources, the rule captures significant details about the processes and parent processes involved. The Splunk search provided incorporates data modeling from the Endpoint data model and requires appropriate configurations of the infrastructure to ensure accurate detection and alerts on suspicious activity related to remote management access.
Categories
  • Windows
  • Endpoint
Data Sources
  • Windows Registry
  • Process
ATT&CK Techniques
  • T1021.006
Created: 2025-03-17