Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.
Rule type: eql
Risk score: 43
Runs every: 5 minutes
Maximum alerts per execution: 100
- Threat Detection
- Lateral Movement
Added (Elastic Stack release): 7.11.0
Rule authors: Elastic
Rule license: Elastic License
PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It’s important to baseline your environment to determine the amount of noise to expect from this tool.
sequence by host.id with maxspan = 30s [network where network.direction == "incoming" and destination.port in (5985, 5986) and network.protocol == "http" and source.address != "127.0.0.1" and source.address != "::1" ] [process where event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.name : "conhost.exe"]