Remote PowerShell Session (PS Classic)

Detects remote PowerShell sessions

Sigma rule (View on GitHub)

 1title: Remote PowerShell Session (PS Classic)
 2id: 60167e5c-84b2-4c95-a7ac-86281f27c445
 3related:
 4    - id: 96b9f619-aa91-478f-bacb-c3e50f8df575
 5      type: derived
 6status: test
 7description: Detects remote PowerShell sessions
 8references:
 9    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
10author: Roberto Rodriguez @Cyb3rWard0g
11date: 2019/08/10
12modified: 2024/01/03
13tags:
14    - attack.execution
15    - attack.t1059.001
16    - attack.lateral_movement
17    - attack.t1021.006
18logsource:
19    product: windows
20    category: ps_classic_start
21detection:
22    selection:
23        Data|contains|all:
24            - 'HostName=ServerRemoteHost'
25            - 'wsmprovhost.exe'
26    condition: selection
27falsepositives:
28    - Legitimate use remote PowerShell sessions
29# Note: Increase the level to "medium" in environments that do not leverage PowerShell remoting
30level: low

References

Related rules

to-top