Detectionhightest
Remote PowerShell Session (PS Module)
Detects remote PowerShell sessions
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Roberto Rodriguez (Cyb3rWard0g), Tim SheltonCreated Sat Aug 10Updated Fri Jan 2096b9f619-aa91-478f-bacb-c3e50f8df575windows
Log Source
WindowsPowerShell Module
ProductWindows← raw: windows
CategoryPowerShell Module← raw: ps_module
Definition
0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
Detection Logic
Detection Logic2 selectors
detection:
selection:
ContextInfo|contains|all:
- ' = ServerRemoteHost ' # HostName: 'ServerRemoteHost' french : Nom d’hôte =
- 'wsmprovhost.exe' # HostApplication|contains: 'wsmprovhost.exe' french Application hôte =
filter_pwsh_archive:
ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1'
condition: selection and not 1 of filter_*False Positives
Legitimate use remote PowerShell sessions
MITRE ATT&CK
Rule Metadata
Rule ID
96b9f619-aa91-478f-bacb-c3e50f8df575
Status
test
Level
high
Type
Detection
Created
Sat Aug 10
Modified
Fri Jan 20
Path
rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml
Raw Tags
attack.executionattack.t1059.001attack.lateral-movementattack.t1021.006