title: Remote PowerShell Session
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/10
description: Detects remote PowerShell sessions
detection:
    SELECTION_1:
        HostName: ServerRemoteHost
    SELECTION_2:
        HostApplication: '*wsmprovhost.exe*'
    condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate use remote PowerShell sessions
id: 60167e5c-84b2-4c95-a7ac-86281f27c445
level: high
logsource:
    category: ps_classic_start
    definition: fields have to be extract from event
    product: windows
modified: 2021/10/16
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
related:
-   id: 96b9f619-aa91-478f-bacb-c3e50f8df575
    type: derived
status: test
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
- attack.lateral_movement
- attack.t1021.006
- attack.t1028
yml_filename: powershell_classic_remote_powershell_session.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic