sigmahighHunting

Remote PowerShell Session (PS Module)

Detects remote PowerShell sessions

MITRE ATT&CK

executionlateral-movement

Detection Query

selection:
  ContextInfo|contains|all:
    - " = ServerRemoteHost "
    - wsmprovhost.exe
filter_pwsh_archive:
  ContextInfo|contains: \Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1
condition: selection and not 1 of filter_*

Author

Roberto Rodriguez @Cyb3rWard0g, Tim Shelton

Created

2019-08-10

Data Sources

windowsps_module

Platforms

windows

References

https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html

Tags

attack.executionattack.t1059.001attack.lateral-movementattack.t1021.006

Raw Content

title: Remote PowerShell Session (PS Module)
id: 96b9f619-aa91-478f-bacb-c3e50f8df575
status: test
description: Detects remote PowerShell sessions
references:
    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
date: 2019-08-10
modified: 2023-01-20
tags:
    - attack.execution
    - attack.t1059.001
    - attack.lateral-movement
    - attack.t1021.006
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        ContextInfo|contains|all:
            - ' = ServerRemoteHost ' #  HostName: 'ServerRemoteHost'  french : Nom d’hôte =
            - 'wsmprovhost.exe'      #  HostApplication|contains: 'wsmprovhost.exe' french  Application hôte =
    filter_pwsh_archive:
        ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1'
    condition: selection and not 1 of filter_*
falsepositives:
    - Legitimate use remote PowerShell sessions
level: high