valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add keyword WinRM to remote powershell process rule

Browse Source
This commit is contained in:
Andreas Hunkeler 2021-05-20 17:03:32 +02:00 committed by GitHub
parent b46f65965d
commit 93241e7fc6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/windows/process_creation/win_remote_powershell_session_process.yml
View File

@ -1,4 +1,4 @@
title: Remote PowerShell Session (WinRM)
title: Remote PowerShell Session Host Process (WinRM)
id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active ps remote session)
status: experimental