administrators may leverage winrm and `enter-pssession` for administrative and troubleshooting tasks. this activity is usually limited to a small set of hosts or users. in certain environments, tuning may not be possible.

t1021
t1021.006
endpoint
splunk

Techniques

T1021
T1021.006

Sample rules

Interactive Session on Remote Endpoint with PowerShell

source: splunk
technicques:
- T1021
- T1021.006

Description

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the usage of the Enter-PSSession. This commandlet can be used to open an interactive session on a remote endpoint leveraging the WinRM protocol. Red Teams and adversaries alike may abuse WinRM and Enter-PSSession for lateral movement and remote code execution.

Detection logic

`powershell` EventCode=4104 (ScriptBlockText="*Enter-PSSession*" AND ScriptBlockText="*-ComputerName*") 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest 
| rename UserID as user
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `interactive_session_on_remote_endpoint_with_powershell_filter`