Detectionmediumtest

Enable Windows Remote Management

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Fri Jan 07991a9744-f2f0-44f2-bd33-9092eba17dc3windows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection_cmdlet:
        ScriptBlockText|contains: 'Enable-PSRemoting '
    condition: selection_cmdlet

False Positives

Legitimate script

References

MITRE ATT&CK

Tactics

TA0008 · Lateral Movement

Sub-techniques

T1021.006 · Windows Remote Management

Rule Metadata

Rule ID

991a9744-f2f0-44f2-bd33-9092eba17dc3

Status

test

Level

medium

Type

Detection

Created

Fri Jan 07

Author

François Hubaut

Path

rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml

Raw Tags

attack.lateral-movementattack.t1021.006

View on GitHub