rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml

title: Enable Windows Remote Management
id: 991a9744-f2f0-44f2-bd33-9092eba17dc3
status: test
description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2
author: frack113
date: 2022-01-07
tags:
    - attack.lateral-movement
    - attack.t1021.006
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmdlet:
        ScriptBlockText|contains: 'Enable-PSRemoting '
    condition: selection_cmdlet
falsepositives:
    - Legitimate script
level: medium
$frack113$ Windows Redcannary 2022-01-08 09:17:56 +01:00			`title: Enable Windows Remote Management`
			`id: 991a9744-f2f0-44f2-bd33-9092eba17dc3`
$frack113$ change status to test 2023-01-27 06:48:34 +01:00			`status: test`
Add missing definition fields and references 2022-07-07 19:13:01 +01:00			`description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.`
$frack113$ Windows Redcannary 2022-01-08 09:17:56 +01:00			`references:`
Update Ref+Selection 2022-07-11 14:11:53 +01:00			`- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management`
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS 2024-07-02 06:00:11 -04:00			`- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2`
$frack113$ Windows Redcannary 2022-01-08 09:17:56 +01:00			`author: frack113`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2022-01-07`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`tags:`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.lateral-movement`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`- attack.t1021.006`
$frack113$ Windows Redcannary 2022-01-08 09:17:56 +01:00			`logsource:`
			`product: windows`
			`category: ps_script`
feat: updates and enhancements 2023-01-04 17:49:32 +01:00			`definition: 'Requirements: Script Block Logging must be enabled'`
$frack113$ Windows Redcannary 2022-01-08 09:17:56 +01:00			`detection:`
			`selection_cmdlet:`
			`ScriptBlockText\|contains: 'Enable-PSRemoting '`
			`condition: selection_cmdlet`
			`falsepositives:`
fix: more falsepositives harmonization 2022-03-16 14:39:23 +01:00			`- Legitimate script`
$frack113$ Windows Redcannary 2022-01-08 09:17:56 +01:00			`level: medium`