Remote PowerShell Session (PS Classic)
Detects remote PowerShell sessions
Sigma rule (View on GitHub)
1title: Remote PowerShell Session (PS Classic)
2id: 60167e5c-84b2-4c95-a7ac-86281f27c445
3related:
4 - id: 96b9f619-aa91-478f-bacb-c3e50f8df575
5 type: derived
6status: test
7description: Detects remote PowerShell sessions
8references:
9 - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
10author: Roberto Rodriguez @Cyb3rWard0g
11date: 2019-08-10
12modified: 2024-01-03
13tags:
14 - attack.execution
15 - attack.t1059.001
16 - attack.lateral-movement
17 - attack.t1021.006
18logsource:
19 product: windows
20 category: ps_classic_start
21detection:
22 selection:
23 Data|contains|all:
24 - 'HostName=ServerRemoteHost'
25 - 'wsmprovhost.exe'
26 condition: selection
27falsepositives:
28 - Legitimate use remote PowerShell sessions
29# Note: Increase the level to "medium" in environments that do not leverage PowerShell remoting
30level: low
References
-
Offensive Tradecraft# Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. In addition, it can be used to execute code remotely v...
Read More
Related rules
- Potential Remote PowerShell Session Initiated
- Remote LSASS Process Access Through Windows Remote Management
- Remote PowerShell Session (PS Module)
- OMIGOD HTTP No Authentication RCE
- Remote PowerShell Session Host Process (WinRM)