Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Execute Invoke-command on Remote Host

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Fri Jan 077b836d7f-179c-4ba4-90a7-a7e60afb48e6windows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic1 selector
detection:
    selection_cmdlet:
        ScriptBlockText|contains|all:
            - 'invoke-command '
            - ' -ComputerName '
    condition: selection_cmdlet
False Positives

Legitimate script

References
1
Resolving title…
github.com
2
Resolving title…
learn.microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
7b836d7f-179c-4ba4-90a7-a7e60afb48e6
Status
test
Level
medium
Type
Detection
Created
Fri Jan 07
Author
François Hubaut
Path
rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml
Raw Tags
attack.lateral-movementattack.t1021.006
View on GitHub