Incoming Execution via PowerShell Remoting

Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/11/24"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any
 13Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.
 14"""
 15false_positives = [
 16    """
 17    PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to
 18    baseline your environment to determine the amount of noise to expect from this tool.
 19    """,
 20]
 21from = "now-9m"
 22index = [
 23    "winlogbeat-*",
 24    "logs-endpoint.events.process-*",
 25    "logs-endpoint.events.network-*",
 26    "logs-windows.sysmon_operational-*",
 27]
 28language = "eql"
 29license = "Elastic License v2"
 30name = "Incoming Execution via PowerShell Remoting"
 31references = [
 32    "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1",
 33]
 34risk_score = 47
 35rule_id = "2772264c-6fb9-4d9d-9014-b416eed21254"
 36severity = "medium"
 37tags = [
 38    "Domain: Endpoint",
 39    "OS: Windows",
 40    "Use Case: Threat Detection",
 41    "Tactic: Lateral Movement",
 42    "Tactic: Execution",
 43    "Data Source: Elastic Defend",
 44    "Data Source: Sysmon",
 45    "Resources: Investigation Guide",
 46]
 47type = "eql"
 48
 49query = '''
 50sequence by host.id with maxspan = 30s
 51   [network where host.os.type == "windows" and network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and
 52    network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"]
 53   [process where host.os.type == "windows" and
 54    event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"]
 55'''
 56note = """## Triage and analysis
 57
 58> **Disclaimer**:
 59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 60
 61### Investigating Incoming Execution via PowerShell Remoting
 62
 63PowerShell Remoting enables administrators to execute commands on remote Windows systems, facilitating efficient management. However, adversaries can exploit this feature for lateral movement within a network. The detection rule identifies suspicious activity by monitoring network traffic on specific ports and processes initiated by PowerShell Remoting, flagging potential unauthorized remote executions.
 64
 65### Possible investigation steps
 66
 67- Review the network traffic logs to identify the source IP address involved in the alert, ensuring it is not a known or authorized management system.
 68- Check the destination port (5985 or 5986) to confirm it aligns with PowerShell Remoting activity and verify if the connection was expected or authorized.
 69- Investigate the process tree on the affected host to determine if the process initiated by wsmprovhost.exe is legitimate or if it shows signs of suspicious activity.
 70- Examine the parent process of wsmprovhost.exe to identify any unusual or unauthorized processes that may have triggered the PowerShell Remoting session.
 71- Correlate the event with user activity logs to determine if the remote execution was performed by a legitimate user or if there are signs of compromised credentials.
 72- Assess the risk score and severity in the context of the organization's environment to prioritize the response and determine if further containment or remediation actions are necessary.
 73
 74### False positive analysis
 75
 76- Legitimate administrative tasks using PowerShell Remoting can trigger the rule. To manage this, identify and whitelist known administrative IP addresses or user accounts that frequently perform remote management tasks.
 77- Automated scripts or scheduled tasks that use PowerShell Remoting for system maintenance might be flagged. Review and document these scripts, then create exceptions for their specific process names or execution paths.
 78- Security tools or monitoring solutions that leverage PowerShell Remoting for legitimate purposes may cause alerts. Verify these tools and exclude their associated network traffic or processes from the detection rule.
 79- Internal IT support activities that involve remote troubleshooting using PowerShell Remoting can be mistaken for threats. Maintain a list of support personnel and their IP addresses to exclude them from triggering alerts.
 80- Regular software updates or patch management processes that utilize PowerShell Remoting should be considered. Identify these processes and exclude their network traffic or process executions to prevent false positives.
 81
 82### Response and remediation
 83
 84- Isolate the affected host immediately from the network to prevent further lateral movement by the adversary.
 85- Terminate any suspicious PowerShell processes identified, especially those initiated by wsmprovhost.exe, to stop unauthorized remote executions.
 86- Conduct a thorough review of recent user activity and access logs on the affected host to identify any unauthorized access or changes.
 87- Reset credentials for any accounts that were used in the suspicious activity to prevent further unauthorized access.
 88- Apply patches and updates to the affected systems to address any vulnerabilities that may have been exploited.
 89- Enhance monitoring on the network for unusual activity on ports 5985 and 5986 to detect any future attempts at unauthorized PowerShell Remoting.
 90- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised."""
 91
 92
 93[[rule.threat]]
 94framework = "MITRE ATT&CK"
 95[[rule.threat.technique]]
 96id = "T1021"
 97name = "Remote Services"
 98reference = "https://attack.mitre.org/techniques/T1021/"
 99[[rule.threat.technique.subtechnique]]
100id = "T1021.006"
101name = "Windows Remote Management"
102reference = "https://attack.mitre.org/techniques/T1021/006/"
103
104
105
106[rule.threat.tactic]
107id = "TA0008"
108name = "Lateral Movement"
109reference = "https://attack.mitre.org/tactics/TA0008/"
110[[rule.threat]]
111framework = "MITRE ATT&CK"
112[[rule.threat.technique]]
113id = "T1059"
114name = "Command and Scripting Interpreter"
115reference = "https://attack.mitre.org/techniques/T1059/"
116[[rule.threat.technique.subtechnique]]
117id = "T1059.001"
118name = "PowerShell"
119reference = "https://attack.mitre.org/techniques/T1059/001/"
120
121
122
123[rule.threat.tactic]
124id = "TA0002"
125name = "Execution"
126reference = "https://attack.mitre.org/tactics/TA0002/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

PowerShell Remoting enables administrators to execute commands on remote Windows systems, facilitating efficient management. However, adversaries can exploit this feature for lateral movement within a network. The detection rule identifies suspicious activity by monitoring network traffic on specific ports and processes initiated by PowerShell Remoting, flagging potential unauthorized remote executions.

  • Review the network traffic logs to identify the source IP address involved in the alert, ensuring it is not a known or authorized management system.
  • Check the destination port (5985 or 5986) to confirm it aligns with PowerShell Remoting activity and verify if the connection was expected or authorized.
  • Investigate the process tree on the affected host to determine if the process initiated by wsmprovhost.exe is legitimate or if it shows signs of suspicious activity.
  • Examine the parent process of wsmprovhost.exe to identify any unusual or unauthorized processes that may have triggered the PowerShell Remoting session.
  • Correlate the event with user activity logs to determine if the remote execution was performed by a legitimate user or if there are signs of compromised credentials.
  • Assess the risk score and severity in the context of the organization's environment to prioritize the response and determine if further containment or remediation actions are necessary.
  • Legitimate administrative tasks using PowerShell Remoting can trigger the rule. To manage this, identify and whitelist known administrative IP addresses or user accounts that frequently perform remote management tasks.
  • Automated scripts or scheduled tasks that use PowerShell Remoting for system maintenance might be flagged. Review and document these scripts, then create exceptions for their specific process names or execution paths.
  • Security tools or monitoring solutions that leverage PowerShell Remoting for legitimate purposes may cause alerts. Verify these tools and exclude their associated network traffic or processes from the detection rule.
  • Internal IT support activities that involve remote troubleshooting using PowerShell Remoting can be mistaken for threats. Maintain a list of support personnel and their IP addresses to exclude them from triggering alerts.
  • Regular software updates or patch management processes that utilize PowerShell Remoting should be considered. Identify these processes and exclude their network traffic or process executions to prevent false positives.
  • Isolate the affected host immediately from the network to prevent further lateral movement by the adversary.
  • Terminate any suspicious PowerShell processes identified, especially those initiated by wsmprovhost.exe, to stop unauthorized remote executions.
  • Conduct a thorough review of recent user activity and access logs on the affected host to identify any unauthorized access or changes.
  • Reset credentials for any accounts that were used in the suspicious activity to prevent further unauthorized access.
  • Apply patches and updates to the affected systems to address any vulnerabilities that may have been exploited.
  • Enhance monitoring on the network for unusual activity on ports 5985 and 5986 to detect any future attempts at unauthorized PowerShell Remoting.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.

References

Related rules

to-top