legitimate usage of remote powershell, e.g. remote administration and monitoring.

t1021
t1021.006
t1059
t1059.001
windows
sigma

Techniques

t1021
t1021.006
t1059
t1059.001

Sample rules

Potential Remote PowerShell Session Initiated

source: sigma
technicques:
- t1021
- t1021.006
- t1059
- t1059.001

Description

Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_localhost:
  DestinationIp:
  - ::1
  - 127.0.0.1
  SourceIp:
  - ::1
  - 127.0.0.1
filter_main_service_users:
- User|contains:
  - NETWORK SERVICE
  - NETZWERKDIENST
  - SERVICIO DE RED
  - SERVIZIO DI RETE
- User|contains|all:
  - SERVICE R
  - SEAU
filter_optional_avast:
  Image:
  - C:\Program Files\Avast Software\Avast\AvastSvc.exe
  - C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe
selection:
  DestinationPort:
  - 5985
  - 5986
  Initiated: 'true'
  SourceIsIpv6: 'false'