valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9c94cf42fe
SigmaHQ/rules/windows/builtin/win_remote_powershell_session.yml
Jonhnathan 7007287832
Update Threat Hunter Playbook Reference
2021-05-22 00:58:23 -03:00

28 lines
806 B
YAML
Raw Blame History

title: Remote PowerShell Sessions Network Connections (WinRM)
id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
status: experimental
date: 2019/09/12
modified: 2021/05/21
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
tags:
- attack.execution
- attack.t1086 # an old one
- attack.t1059.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
DestPort:
- 5985
- 5986
LayerRTID: 44
condition: selection
falsepositives:
- Legitimate use of remote PowerShell execution
level: high
Reference in New Issue View Git Blame Copy Permalink