LoFP / note that false positives may occur due to the use of the enable-psremoting cmdlet by legitimate users, such as system administrators. it is recommended to apply appropriate filters as needed to minimize the number of false positives.

Techniques

• T1059
• T1059.001

Sample rules

PowerShell Enable PowerShell Remoting

• source: splunk
• technicques:
  • T1059.001
  • T1059

Description

The following analytic detects the use of the Enable-PSRemoting cmdlet, which allows PowerShell remoting on a local or remote computer. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify when this cmdlet is executed. Monitoring this activity is crucial as it can indicate an attacker enabling remote command execution capabilities on a compromised system. If confirmed malicious, this activity could allow an attacker to take control of the system remotely, execute commands, and potentially pivot to other systems within the network, leading to further compromise and lateral movement.

Detection logic

`powershell` EventCode=4104 ScriptBlockText="*Enable-PSRemoting*" 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `powershell_enable_powershell_remoting_filter`