Detectionhightest
Potential Remote PowerShell Session Initiated
Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Roberto Rodriguez (Cyb3rWard0g)Created Thu Sep 12Updated Fri Feb 02c539afac-c12a-46ed-b1bd-5a5567c9f045windows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic4 selectors
detection:
selection:
DestinationPort:
- 5985
- 5986
Initiated: 'true' # only matches of the initiating system can be evaluated
SourceIsIpv6: 'false'
filter_main_service_users:
- User|contains: # covers many language settings for Network Service. Please expand
- 'NETWORK SERVICE'
- 'NETZWERKDIENST'
- 'SERVICIO DE RED'
- 'SERVIZIO DI RETE'
- User|contains|all:
- 'SERVICE R'
- 'SEAU'
filter_main_localhost:
SourceIp:
- '::1'
- '127.0.0.1'
DestinationIp:
- '::1'
- '127.0.0.1'
filter_optional_avast:
Image:
- 'C:\Program Files\Avast Software\Avast\AvastSvc.exe'
- 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.
Network Service user name of a not-covered localization
MITRE ATT&CK
Rule Metadata
Rule ID
c539afac-c12a-46ed-b1bd-5a5567c9f045
Status
test
Level
high
Type
Detection
Created
Thu Sep 12
Modified
Fri Feb 02
Path
rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml
Raw Tags
attack.executionattack.t1059.001attack.lateral-movementattack.t1021.006