title: Remote PowerShell Session
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/09/12
description: Detects remote PowerShell connections by monitoring network outbound
    connections to ports 5985 or 5986 from a non-network service account.
detection:
    SELECTION_1:
        EventID: 3
    SELECTION_2:
        DestinationPort: 5985
    SELECTION_3:
        DestinationPort: 5986
    SELECTION_4:
        User: NT AUTHORITY\NETWORK SERVICE
    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and  not (SELECTION_4))
falsepositives:
- Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.
id: c539afac-c12a-46ed-b1bd-5a5567c9f045
level: high
logsource:
    category: network_connection
    product: windows
modified: 2020/08/24
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
- attack.lateral_movement
- attack.t1021.006
- attack.t1028
yml_filename: sysmon_remote_powershell_session_network.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection