Incoming Execution via PowerShell Remoting

About

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Lateral MovementTactic: ExecutionData Source: Elastic DefendData Source: SysmonLanguage: eql

Severity

medium

Risk Score

47

MITRE ATT&CK™

Lateral Movement (TA0008)(opens in a new tab or window)

↳ Remote Services (T1021)(opens in a new tab or window)

Execution (TA0002)(opens in a new tab or window)

↳ Command and Scripting Interpreter (T1059)(opens in a new tab or window)

False Positive Examples

PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

winlogbeat-*logs-endpoint.events.process-*logs-endpoint.events.network-*logs-windows.sysmon_operational-*

Related Integrations

endpoint(opens in a new tab or window)

windows(opens in a new tab or window)

Query

sequence by host.id with maxspan = 30s
   [network where host.os.type == "windows" and network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and
    source.ip != "127.0.0.1" and source.ip != "::1"]
   [process where host.os.type == "windows" and
    event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"]