LoFP / administrators may leverage winrm and `enter-pssession` for administrative and troubleshooting tasks. this activity is usually limited to a small set of hosts or users. in certain environments, tuning may not be possible.

Techniques

• T1021
• T1021.006

Sample rules

Interactive Session on Remote Endpoint with PowerShell

• source: splunk
• technicques:
  • T1021
  • T1021.006

Description

The following analytic detects the use of the Enter-PSSession cmdlet to establish an interactive session on a remote endpoint via the WinRM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity by searching for specific script block text patterns. This behavior is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this activity could allow attackers to execute commands remotely, potentially leading to further compromise of the network and unauthorized access to sensitive information.

Detection logic

`powershell` EventCode=4104 (ScriptBlockText="*Enter-PSSession*" AND ScriptBlockText="*-ComputerName*") 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest 
| rename UserID as user
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `interactive_session_on_remote_endpoint_with_powershell_filter`