Incoming Remote PowerShell Sessions

Incoming lateral movement via Windows Remote Management (WinRM)

id:3abf86e1-3ba3-4473-90ea-5fc37ff57d18 categories:enrich confidence:low os:windows created:7/26/2019 updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Lateral Movement, Execution techniques:T1028 Windows Remote Management

Query

sequence with maxspan=2s
  [network where subtype.incoming and destination_port in (5985, 5986)]
  [process where subtype.create and
    process_name == "wsmprovhost.exe" and parent_process_name == "svchost.exe"]

Contributors

• Endgame