security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Incoming Execution via PowerShell Remoting (#624)

Browse Source 
* [New Rule] Incoming Execution via PowerShell Remoting

* eql syntax

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
This commit is contained in:
Samirbous
2020-12-08 17:16:10 +01:00
committed by GitHub
parent 0479a8f8a3
commit ccea74d9d8
1 changed files with 47 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/lateral_movement_powershell_remoting_target.toml
+47
View File
@@ -0,0 +1,47 @@
[metadata]
creation_date = "2020/11/24"
maturity = "production"
updated_date = "2020/11/24"
[rule]
author = ["Elastic"]
description = "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement."
false_positives = [
"""
PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to
baseline your environment to determine the amount of noise to expect from this tool.
""",
]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License"
name = "Incoming Execution via PowerShell Remoting"
references = ["https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1"]
risk_score = 43
rule_id = "2772264c-6fb9-4d9d-9014-b416eed21254"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"]
type = "eql"
query = '''
sequence by host.id with maxspan = 30s
[network where network.direction == "incoming" and destination.port in (5985, 5986) and
network.protocol == "http" and source.address != "127.0.0.1" and source.address != "::1"
]
[process where event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.name : "conhost.exe"]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"