Detectionhightest

Remote PowerShell Sessions Network Connections (WinRM)

Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Roberto Rodriguez (Cyb3rWard0g)Created Thu Sep 12Updated Sun Oct 0913acf386-b8c6-4fe0-9a6e-c4756b974698windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID: 5156
        DestPort:
            - 5985
            - 5986
        LayerRTID: 44
    condition: selection

False Positives

Legitimate use of remote PowerShell execution

References

Resolving title…

threathunterplaybook.com

MITRE ATT&CK

Tactics

TA0002 · Execution

Sub-techniques

T1059.001 · PowerShell

Rule Metadata

Rule ID

13acf386-b8c6-4fe0-9a6e-c4756b974698

Status

test

Level

high

Type

Detection

Created

Thu Sep 12

Modified

Sun Oct 09

Author

Roberto Rodriguez (Cyb3rWard0g)

Path

rules/windows/builtin/security/win_security_remote_powershell_session.yml

Raw Tags

attack.executionattack.t1059.001

View on GitHub