SigmaHQ/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml

title: Remote PowerShell Session
id: c539afac-c12a-46ed-b1bd-5a5567c9f045
description: Detects remote PowerShell connections by monitoring network outbount connections to ports 5985 or 5986 from not network service account
status: experimental
date: 2019/09/12
author: Roberto Rodriguez @Cyb3rWard0g
references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
tags:
    - attack.execution
    - attack.t1086
logsource:
    product: windows
    service: sysmon
detection:
    selection: 
        EventID: 3
        DestinationPort:
            - 5985
            - 5986
    filter:
        User: 'NT AUTHORITY\NETWORK SERVICE'
    condition: selection and not filter
falsepositives:
    - Leigitmate usage of remote PowerShell, e.g. remote administration and monitoring.
level: high
Removed ATT&CK technique ids from titles and added tags 2020-01-10 23:33:50 +00:00			`title: Remote PowerShell Session`
UUIDs + moved unsupported logic * Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing. 2019-12-19 22:56:36 +00:00			`id: c539afac-c12a-46ed-b1bd-5a5567c9f045`
OSCD QA wave 3 2020-01-19 21:34:16 +00:00			`description: Detects remote PowerShell connections by monitoring network outbount connections to ports 5985 or 5986 from not network service account`
added: win_non_interactive_powershell.yml win_remote_powershell_session.yml win_wmiprvse_spawning_process.yml powershell_alternate_powershell_hosts.yml powershell_remote_powershell_session.yml sysmon_alternate_powershell_hosts_moduleload.yml sysmon_alternate_powershell_hosts_pipe.yml sysmon_non_interactive_powershell_execution.yml sysmon_powershell_execution_moduleload.yml sysmon_powershell_execution_pipe.yml sysmon_remote_powershell_session_network.yml sysmon_remote_powershell_session_process.yml sysmon_wmi_module_load.yml sysmon_wmiprvse_spawning_process.yml 2019-10-24 13:48:38 +00:00			`status: experimental`
			`date: 2019/09/12`
			`author: Roberto Rodriguez @Cyb3rWard0g`
			`references:`
			`- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md`
Removed ATT&CK technique ids from titles and added tags 2020-01-10 23:33:50 +00:00			`tags:`
			`- attack.execution`
			`- attack.t1086`
added: win_non_interactive_powershell.yml win_remote_powershell_session.yml win_wmiprvse_spawning_process.yml powershell_alternate_powershell_hosts.yml powershell_remote_powershell_session.yml sysmon_alternate_powershell_hosts_moduleload.yml sysmon_alternate_powershell_hosts_pipe.yml sysmon_non_interactive_powershell_execution.yml sysmon_powershell_execution_moduleload.yml sysmon_powershell_execution_pipe.yml sysmon_remote_powershell_session_network.yml sysmon_remote_powershell_session_process.yml sysmon_wmi_module_load.yml sysmon_wmiprvse_spawning_process.yml 2019-10-24 13:48:38 +00:00			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection:`
			`EventID: 3`
			`DestinationPort:`
			`- 5985`
			`- 5986`
			`filter:`
			`User: 'NT AUTHORITY\NETWORK SERVICE'`
			`condition: selection and not filter`
			`falsepositives:`
OSCD QA wave 3 2020-01-19 21:34:16 +00:00			`- Leigitmate usage of remote PowerShell, e.g. remote administration and monitoring.`
			`level: high`