SigmaHQ/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml
2020-02-02 12:41:12 +01:00

27 lines
882 B
YAML

title: Remote PowerShell Session
id: c539afac-c12a-46ed-b1bd-5a5567c9f045
description: Detects remote PowerShell connections by monitoring network outbount connections to ports 5985 or 5986 from not network service account
status: experimental
date: 2019/09/12
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
tags:
- attack.execution
- attack.t1086
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
DestinationPort:
- 5985
- 5986
filter:
User: 'NT AUTHORITY\NETWORK SERVICE'
condition: selection and not filter
falsepositives:
- Leigitmate usage of remote PowerShell, e.g. remote administration and monitoring.
level: high