Detectionlowtest

Remote PowerShell Session (PS Classic)

Detects remote PowerShell sessions

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Roberto Rodriguez (Cyb3rWard0g)Created Sat Aug 10Updated Wed Jan 0360167e5c-84b2-4c95-a7ac-86281f27c445windows

Log Source

WindowsPowerShell Classic

ProductWindows← raw: windows

CategoryPowerShell Classic← raw: ps_classic_start

Detection Logic

detection:
    selection:
        Data|contains|all:
            - 'HostName=ServerRemoteHost'
            - 'wsmprovhost.exe'
    condition: selection

False Positives

Legitimate use remote PowerShell sessions

References

Resolving title…

threathunterplaybook.com

MITRE ATT&CK

Tactics

TA0002 · Execution TA0008 · Lateral Movement

Sub-techniques

T1059.001 · PowerShell T1021.006 · Windows Remote Management

Related Rules

DerivedDetectionhigh

Remote PowerShell Session (PS Module)

Detects remote PowerShell sessions

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

60167e5c-84b2-4c95-a7ac-86281f27c445

Status

test

Level

low

Type

Detection

Created

Sat Aug 10

Modified

Wed Jan 03

Author

Roberto Rodriguez (Cyb3rWard0g)

Path

rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml

Raw Tags

attack.executionattack.t1059.001attack.lateral-movementattack.t1021.006

View on GitHub