Remote PowerShell Sessions Network Connections (WinRM)
Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
Sigma rule (View on GitHub)
1title: Remote PowerShell Sessions Network Connections (WinRM)
2id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
3status: test
4description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
5references:
6 - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
7author: Roberto Rodriguez @Cyb3rWard0g
8date: 2019-09-12
9modified: 2022-10-09
10tags:
11 - attack.execution
12 - attack.t1059.001
13logsource:
14 product: windows
15 service: security
16detection:
17 selection:
18 EventID: 5156
19 DestPort:
20 - 5985
21 - 5986
22 LayerRTID: 44
23 condition: selection
24falsepositives:
25 - Legitimate use of remote PowerShell execution
26level: high
References
-
Offensive Tradecraft# Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. In addition, it can be used to execute code remotely v...
Read More
Related rules
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- Bad Opsec Powershell Code Artifacts
- BloodHound Collection Files
- Certificate Exported Via PowerShell