Techniques
Sample rules
Interactive Session on Remote Endpoint with PowerShell
- source: splunk
- technicques:
- T1021
- T1021.006
Description
The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the usage of the Enter-PSSession
. This commandlet can be used to open an interactive session on a remote endpoint leveraging the WinRM protocol. Red Teams and adversaries alike may abuse WinRM and Enter-PSSession
for lateral movement and remote code execution.
Detection logic
`powershell` EventCode=4104 (ScriptBlockText="*Enter-PSSession*" AND ScriptBlockText="*-ComputerName*")
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| rename Computer as dest
| rename UserID as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `interactive_session_on_remote_endpoint_with_powershell_filter`