Techniques
Sample rules
Remote PowerShell Session (PS Classic)
- source: sigma
- technicques:
- t1021
- t1021.006
- t1059
- t1059.001
Description
Detects remote PowerShell sessions
Detection logic
condition: selection
selection:
Data|contains|all:
- HostName=ServerRemoteHost
- wsmprovhost.exe
Remote PowerShell Session (PS Module)
- source: sigma
- technicques:
- t1021
- t1021.006
- t1059
- t1059.001
Description
Detects remote PowerShell sessions
Detection logic
condition: selection and not 1 of filter_*
filter_pwsh_archive:
ContextInfo|contains: \Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1
selection:
ContextInfo|contains|all:
- ' = ServerRemoteHost '
- wsmprovhost.exe