rules/windows/powershell/powershell_remote_powershell_session.yml

action: global
title: Remote PowerShell Session
description: Detects remote PowerShell sessions
status: test
date: 2019/08/10
modified: 2020/08/24
author: Roberto Rodriguez @Cyb3rWard0g
references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1086  # an old one
    - attack.lateral_movement
    - attack.t1021.006
    - attack.t1028  # an old one
falsepositives:
    - Legitimate use remote PowerShell sessions
level: high
---
id: 96b9f619-aa91-478f-bacb-c3e50f8df575
logsource:
    product: windows
    service: powershell
    definition: Module Logging must be enable and fields have to be extract from event
detection:
    selection:
        EventID: 4103 
        ContextInfo|contains|all:
            - ' = ServerRemoteHost ' #  HostName: 'ServerRemoteHost'  french : Nom d’hôte = 
            - 'wsmprovhost.exe'      #  HostApplication|contains: 'wsmprovhost.exe' french  Application hôte = 
    condition: selection
---
id: 60167e5c-84b2-4c95-a7ac-86281f27c445
logsource:
    product: windows
    service: powershell-classic
    definition: fields have to be extract from event
detection:
    selection:
        EventID: 400
        HostName: 'ServerRemoteHost'
        HostApplication|contains: 'wsmprovhost.exe'
    condition: selection
-											fix eventid 400 powershell-classic
										
										
											2021-08-03 10:04:15 +02:00
+								action: global
-											Removed ATT&CK technique ids from titles and added tags
										
										
											2020-01-11 00:33:50 +01:00
+								title: Remote PowerShell Session
-											added:
										
										
											2019-10-24 15:48:38 +02:00
+								description: Detects remote PowerShell sessions
-											Fix EventID 4103 detection
										
										
											2021-08-31 13:44:54 +02:00
+								status: test
-											added:
										
										
											2019-10-24 15:48:38 +02:00
+								date: 2019/08/10
-											att&ck tags review: windows/powershell, windows/process_access, windows/network_connection
										
										
											2020-08-24 23:31:26 +00:00
+								modified: 2020/08/24
-											added:
										
										
											2019-10-24 15:48:38 +02:00
+								author: Roberto Rodriguez @Cyb3rWard0g
 								references:
-											Update Threat Hunter Playbook Reference
										
										
											2021-05-22 01:03:49 -03:00
+								    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
-											Removed ATT&CK technique ids from titles and added tags
										
										
											2020-01-11 00:33:50 +01:00
+								tags:
 								    - attack.execution
-											Initial round of subtechnique updates
										
										
											2020-06-16 14:46:08 -06:00
+								    - attack.t1059.001
-											Replace old mitre techniques by new one
										
										
											2021-08-22 13:57:56 +02:00
+								    - attack.t1086  # an old one
-											windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future.
										
										
											2020-08-24 00:01:50 +00:00
+								    - attack.lateral_movement
 								    - attack.t1021.006
-											Replace old mitre techniques by new one
										
										
											2021-08-22 13:57:56 +02:00
+								    - attack.t1028  # an old one
-											fix eventid 400 powershell-classic
										
										
											2021-08-03 10:04:15 +02:00
+								falsepositives:
 								    - Legitimate use remote PowerShell sessions
 								level: high
 								---
-											Update global ID
										
										
											2021-09-02 21:16:55 +02:00
+								id: 96b9f619-aa91-478f-bacb-c3e50f8df575
-											added:
										
										
											2019-10-24 15:48:38 +02:00
+								logsource:
 								    product: windows
 								    service: powershell
-											Update PS rules
										
										
											2021-08-21 09:33:52 +02:00
+								    definition: Module Logging must be enable and fields have to be extract from event
-											added:
										
										
											2019-10-24 15:48:38 +02:00
+								detection:
-											Initial round of subtechnique updates
										
										
											2020-06-16 14:46:08 -06:00
+								    selection:
-											Fix EventID 4103 detection
										
										
											2021-08-31 13:44:54 +02:00
+								        EventID: 4103
 								        ContextInfo|contains|all:
 								            - ' = ServerRemoteHost ' #  HostName: 'ServerRemoteHost'  french : Nom d’hôte =
 								            - 'wsmprovhost.exe'      #  HostApplication|contains: 'wsmprovhost.exe' french  Application hôte =
-											added:
										
										
											2019-10-24 15:48:38 +02:00
+								    condition: selection
-											fix eventid 400 powershell-classic
										
										
											2021-08-03 10:04:15 +02:00
+								---
-											Update global ID
										
										
											2021-09-02 21:16:55 +02:00
+								id: 60167e5c-84b2-4c95-a7ac-86281f27c445
-											fix eventid 400 powershell-classic
										
										
											2021-08-03 10:04:15 +02:00
+								logsource:
 								    product: windows
 								    service: powershell-classic
-											add definition to powershell-classic
										
										
											2021-08-16 12:56:24 +02:00
+								    definition: fields have to be extract from event
-											fix eventid 400 powershell-classic
										
										
											2021-08-03 10:04:15 +02:00
+								detection:
 								    selection:
 								        EventID: 400
 								        HostName: 'ServerRemoteHost'
 								        HostApplication|contains: 'wsmprovhost.exe'
-											Replace old mitre techniques by new one
										
										
											2021-08-22 13:57:56 +02:00
+								    condition: selection