legitimate usage of remote powershell, e.g. for monitoring purposes.

t1021
t1021.006
t1059
t1059.001
windows
sigma

Techniques

t1021
t1021.006
t1059
t1059.001

Sample rules

Remote PowerShell Session Host Process (WinRM)

source: sigma
technicques:
- t1021
- t1021.006
- t1059
- t1059.001

Description

Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).

Detection logic

condition: selection
selection:
- Image|endswith: \wsmprovhost.exe
- ParentImage|endswith: \wsmprovhost.exe