security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/windows/builtin/security/win_remote_powershell_session.yml
T

27 lines
765 B
YAML
Raw Normal View History

Add keyword WinRM to remote powershell network rule
2021-05-20 17:02:17 +02:00
title: Remote PowerShell Sessions Network Connections (WinRM)
UUIDs + moved unsupported logic
2019-12-19 23:56:36 +01:00
id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
Add keyword WinRM to remote powershell network rule
2021-05-20 17:02:17 +02:00
description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
added:
2019-10-24 15:48:38 +02:00
status: experimental
date: 2019/09/12
Add modified field in WinRM rule
2021-05-21 09:28:45 +02:00
modified: 2021/05/21
added:
2019-10-24 15:48:38 +02:00
author: Roberto Rodriguez @Cyb3rWard0g
references:
Update Threat Hunter Playbook Reference
2021-05-22 00:58:23 -03:00
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00
tags:
- attack.execution
Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00
- attack.t1059.001
added:
2019-10-24 15:48:38 +02:00
logsource:
product: windows
service: security
detection:
Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00
selection:
added:
2019-10-24 15:48:38 +02:00
EventID: 5156
DestPort:
- 5985
- 5986
LayerRTID: 44
condition: selection
falsepositives:
OSCD QA wave 3
2020-01-19 22:34:16 +01:00
- Legitimate use of remote PowerShell execution
level: high
Reference in New Issue Copy Permalink