SigmaHQ/rules/windows/builtin/win_remote_powershell_session.yml

title: Remote PowerShell Sessions Network Connections (WinRM)
id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
status: experimental
date: 2019/09/12
modified: 2021/05/21
author: Roberto Rodriguez @Cyb3rWard0g
references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
tags:
    - attack.execution
    - attack.t1086          # an old one
    - attack.t1059.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5156
        DestPort:
            - 5985
            - 5986
        LayerRTID: 44
    condition: selection
falsepositives:
    - Legitimate use of remote PowerShell execution
level: high
Add keyword WinRM to remote powershell network rule 2021-05-20 15:02:17 +00:00			`title: Remote PowerShell Sessions Network Connections (WinRM)`
UUIDs + moved unsupported logic * Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing. 2019-12-19 22:56:36 +00:00			`id: 13acf386-b8c6-4fe0-9a6e-c4756b974698`
Add keyword WinRM to remote powershell network rule 2021-05-20 15:02:17 +00:00			`description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986`
added: win_non_interactive_powershell.yml win_remote_powershell_session.yml win_wmiprvse_spawning_process.yml powershell_alternate_powershell_hosts.yml powershell_remote_powershell_session.yml sysmon_alternate_powershell_hosts_moduleload.yml sysmon_alternate_powershell_hosts_pipe.yml sysmon_non_interactive_powershell_execution.yml sysmon_powershell_execution_moduleload.yml sysmon_powershell_execution_pipe.yml sysmon_remote_powershell_session_network.yml sysmon_remote_powershell_session_process.yml sysmon_wmi_module_load.yml sysmon_wmiprvse_spawning_process.yml 2019-10-24 13:48:38 +00:00			`status: experimental`
			`date: 2019/09/12`
Add modified field in WinRM rule 2021-05-21 07:28:45 +00:00			`modified: 2021/05/21`
added: win_non_interactive_powershell.yml win_remote_powershell_session.yml win_wmiprvse_spawning_process.yml powershell_alternate_powershell_hosts.yml powershell_remote_powershell_session.yml sysmon_alternate_powershell_hosts_moduleload.yml sysmon_alternate_powershell_hosts_pipe.yml sysmon_non_interactive_powershell_execution.yml sysmon_powershell_execution_moduleload.yml sysmon_powershell_execution_pipe.yml sysmon_remote_powershell_session_network.yml sysmon_remote_powershell_session_process.yml sysmon_wmi_module_load.yml sysmon_wmiprvse_spawning_process.yml 2019-10-24 13:48:38 +00:00			`author: Roberto Rodriguez @Cyb3rWard0g`
			`references:`
Update Threat Hunter Playbook Reference 2021-05-22 03:58:23 +00:00			`- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html`
Removed ATT&CK technique ids from titles and added tags 2020-01-10 23:33:50 +00:00			`tags:`
			`- attack.execution`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`- attack.t1086 # an old one`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1059.001`
added: win_non_interactive_powershell.yml win_remote_powershell_session.yml win_wmiprvse_spawning_process.yml powershell_alternate_powershell_hosts.yml powershell_remote_powershell_session.yml sysmon_alternate_powershell_hosts_moduleload.yml sysmon_alternate_powershell_hosts_pipe.yml sysmon_non_interactive_powershell_execution.yml sysmon_powershell_execution_moduleload.yml sysmon_powershell_execution_pipe.yml sysmon_remote_powershell_session_network.yml sysmon_remote_powershell_session_process.yml sysmon_wmi_module_load.yml sysmon_wmiprvse_spawning_process.yml 2019-10-24 13:48:38 +00:00			`logsource:`
			`product: windows`
			`service: security`
			`detection:`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`selection:`
added: win_non_interactive_powershell.yml win_remote_powershell_session.yml win_wmiprvse_spawning_process.yml powershell_alternate_powershell_hosts.yml powershell_remote_powershell_session.yml sysmon_alternate_powershell_hosts_moduleload.yml sysmon_alternate_powershell_hosts_pipe.yml sysmon_non_interactive_powershell_execution.yml sysmon_powershell_execution_moduleload.yml sysmon_powershell_execution_pipe.yml sysmon_remote_powershell_session_network.yml sysmon_remote_powershell_session_process.yml sysmon_wmi_module_load.yml sysmon_wmiprvse_spawning_process.yml 2019-10-24 13:48:38 +00:00			`EventID: 5156`
			`DestPort:`
			`- 5985`
			`- 5986`
			`LayerRTID: 44`
			`condition: selection`
			`falsepositives:`
OSCD QA wave 3 2020-01-19 21:34:16 +00:00			`- Legitimate use of remote PowerShell execution`
			`level: high`