title: Remote PowerShell Sessions Network Connections (WinRM)
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/09/12
description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound
  connections to ports 5985 OR 5986
detection:
  SELECTION_1:
    EventID: 5156
  SELECTION_2:
    DestPort: 5985
  SELECTION_3:
    DestPort: 5986
  SELECTION_4:
    LayerRTID: 44
  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
falsepositives:
- Legitimate use of remote PowerShell execution
id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
level: high
logsource:
  product: windows
  service: security
modified: 2021/05/21
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
status: experimental
tags:
- attack.execution
- attack.t1086
- attack.t1059.001