security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
426d8193add8a2fde2621da480a5822079dcc1b8
blue-team-tools/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml
T
frack113 0ca16b18f4 Change to category: ps_module
2021-10-16 08:05:15 +02:00

29 lines
970 B
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
title: Remote PowerShell Session
id: 96b9f619-aa91-478f-bacb-c3e50f8df575
description: Detects remote PowerShell sessions
status: test
date: 2019/08/10
modified: 2021/10/16
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
tags:
- attack.execution
- attack.t1059.001
- attack.t1086 # an old one
- attack.lateral_movement
- attack.t1021.006
- attack.t1028 # an old one
logsource:
product: windows
category: ps_module
definition: PowerShell Module Logging must be enabled
detection:
selection:
ContextInfo|contains|all:
- ' = ServerRemoteHost ' # HostName: 'ServerRemoteHost' french : Nom dhôte =
- 'wsmprovhost.exe' # HostApplication|contains: 'wsmprovhost.exe' french Application hôte =
condition: selection
falsepositives:
- Legitimate use remote PowerShell sessions
level: high
Reference in New Issue View Git Blame Copy Permalink