Techniques
Sample rules
Remote PowerShell Sessions Network Connections (WinRM)
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
Detection logic
condition: selection
selection:
DestPort:
- 5985
- 5986
EventID: 5156
LayerRTID: 44