Remote PowerShell Session (PS Module)

Aug 12, 2024 · attack.execution attack.t1059.001 attack.lateral-movement attack.t1021.006 ·

Detects remote PowerShell sessions

Sigma rule (View on GitHub)

 1title: Remote PowerShell Session (PS Module)
 2id: 96b9f619-aa91-478f-bacb-c3e50f8df575
 3status: test
 4description: Detects remote PowerShell sessions
 5references:
 6    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
 7author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
 8date: 2019-08-10
 9modified: 2023-01-20
10tags:
11    - attack.execution
12    - attack.t1059.001
13    - attack.lateral-movement
14    - attack.t1021.006
15logsource:
16    product: windows
17    category: ps_module
18    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
19detection:
20    selection:
21        ContextInfo|contains|all:
22            - ' = ServerRemoteHost ' #  HostName: 'ServerRemoteHost'  french : Nom d’hôte =
23            - 'wsmprovhost.exe'      #  HostApplication|contains: 'wsmprovhost.exe' french  Application hôte =
24    filter_pwsh_archive:
25        ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1'
26    condition: selection and not 1 of filter_*
27falsepositives:
28    - Legitimate use remote PowerShell sessions
29level: high

References

PowerShell Remote Session — Threat Hunter Playbook

Offensive Tradecraft# Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. In addition, it can be used to execute code remotely v...

Read More

Remote PowerShell Session (PS Module)

Sigma rule (View on GitHub)

References

PowerShell Remote Session — Threat Hunter Playbook

Related rules