CAR-2014-11-004: Remote PowerShell Sessions
According to ATT&CK, PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe
For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command Enter-PSSession -ComputerName \<RemoteHost\> creates a remote PowerShell session.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Command and Scripting Interpreter | PowerShell | Execution | Moderate |
| Remote Services | Windows Remote Management | Lateral Movement | Moderate |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-PLA | Process Lineage Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| process | create | exe |
| process | create | parent_exe |
Implementations
Pseudocode
process = search Process:Create
wsmprovhost = filter process where (exe == "wsmprovhost.exe" and parent_exe == "svchost.exe")
Eql, EQL native
EQL version of the above pseudocode.
process where subtype.create and
(process_name == "wsmprovhost.exe" and parent_process_name == "svchost.exe")
Logpoint, LogPoint native
LogPoint version of the above pseudocode.
norm_id=WindowsSysmon event_id=1 image="*\wsmprovhost.exe" parent_image="*\svchost.exe"