rules/windows/process_creation/win_remote_powershell_session_process.yml

title: Remote PowerShell Session Host Process (WinRM)
id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
status: experimental
date: 2019/09/12
modified: 2021/05/21
author: Roberto Rodriguez @Cyb3rWard0g
references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
tags:
    - attack.execution
    - attack.t1086 # an old one
    - attack.t1059.001
    - attack.t1021.006
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\wsmprovhost.exe'
        - ParentImage|endswith: '\wsmprovhost.exe'
    condition: selection
fields:
    - ComputerName
    - User
    - CommandLine
falsepositives:
    - Legitimate usage of remote Powershell, e.g. for monitoring purposes.
level: medium
Add keyword WinRM to remote powershell process rule 2021-05-20 17:03:32 +02:00			`title: Remote PowerShell Session Host Process (WinRM)`
UUIDs + moved unsupported logic 2019-12-19 23:56:36 +01:00			`id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8`
Update win_remote_powershell_session_process.yml 2021-07-15 11:20:25 +08:00			`description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).`
added: 2019-10-24 15:48:38 +02:00			`status: experimental`
			`date: 2019/09/12`
Update modified field in WinRM rule 2021-05-21 09:29:11 +02:00			`modified: 2021/05/21`
added: 2019-10-24 15:48:38 +02:00			`author: Roberto Rodriguez @Cyb3rWard0g`
			`references:`
Update Threat Hunter Playbook Reference 2021-05-22 01:04:53 -03:00			`- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html`
Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00			`tags:`
			`- attack.execution`
att&ck tags review: windows/process_creation part 5 2020-09-07 02:00:41 +04:00			`- attack.t1086 # an old one`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`- attack.t1059.001`
Update win_remote_powershell_session_process.yml 2021-07-15 11:20:25 +08:00			`- attack.t1021.006`
added: 2019-10-24 15:48:38 +02:00			`logsource:`
fix logsource for remote_powershell_session_process.yml 2019-11-10 23:10:24 +03:00			`category: process_creation`
added: 2019-10-24 15:48:38 +02:00			`product: windows`
			`detection:`
fix logsource for remote_powershell_session_process.yml 2019-11-10 23:10:24 +03:00			`selection:`
			`- Image\|endswith: '\wsmprovhost.exe'`
			`- ParentImage\|endswith: '\wsmprovhost.exe'`
			`condition: selection`
OSCD QA wave 1 2020-01-11 00:11:27 +01:00			`fields:`
			`- ComputerName`
			`- User`
			`- CommandLine`
added: 2019-10-24 15:48:38 +02:00			`falsepositives:`
Update win_remote_powershell_session_process.yml 2021-07-15 11:20:25 +08:00			`- Legitimate usage of remote Powershell, e.g. for monitoring purposes.`
fix: reduced level due to false positives 2020-03-17 20:40:28 +01:00			`level: medium`