{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/remoting/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","PowerShell"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","powershell","remoting"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies potential lateral movement through the exploitation of Windows PowerShell remoting. PowerShell remoting is a feature that enables administrators and attackers to execute commands on remote Windows systems. The detection focuses on identifying incoming network connections on ports 5985 (HTTP) and 5986 (HTTPS), the default ports used for PowerShell Remoting, followed by the execution of processes spawned by \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e, the Windows Remote Management process host. This activity, when originating from unexpected sources, may indicate unauthorized access and lateral movement within a network. The rule is designed to detect suspicious activity by monitoring network traffic and process execution, flagging potential unauthorized remote executions, and enabling security teams to respond swiftly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a network, possibly through phishing or exploiting a vulnerability on an internet-facing system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages PowerShell remoting to initiate a connection to a target system on ports 5985 or 5986.\u003c/li\u003e\n\u003cli\u003eThe target system accepts the incoming PowerShell Remoting connection.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e process is launched on the target system to facilitate the remote PowerShell session.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands remotely, spawning child processes from \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges or move laterally to other systems within the network using the remote PowerShell session.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools such as \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003ePsExec\u003c/code\u003e over the remote PowerShell session to further propagate.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or deploying ransomware, by leveraging the established remote session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of PowerShell Remoting for lateral movement can lead to widespread compromise within an organization. An attacker could gain control over multiple systems, potentially leading to data breaches, system outages, or ransomware deployment. The number of affected systems could range from a few critical servers to a significant portion of the network, depending on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security posture. The impact could include financial losses, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eIncoming Execution via PowerShell Remoting\u003c/code\u003e to your SIEM to detect suspicious PowerShell remoting activity and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to ports 5985 and 5986, and investigate any unauthorized or unexpected traffic using the \u003ccode\u003enetwork_connection\u003c/code\u003e log source.\u003c/li\u003e\n\u003cli\u003eInvestigate processes spawned by \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e for unusual or malicious activity using the \u003ccode\u003eprocess_creation\u003c/code\u003e log source.\u003c/li\u003e\n\u003cli\u003eWhitelist authorized administrative IP addresses or user accounts that frequently perform remote management tasks, as mentioned in the false positives analysis.\u003c/li\u003e\n\u003cli\u003eReview and document automated scripts or scheduled tasks that use PowerShell Remoting for system maintenance, then create exceptions for their specific process names or execution paths.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:53:23Z","date_published":"2024-01-03T18:53:23Z","id":"/briefs/2024-01-03-powershell-remoting/","summary":"This rule identifies remote execution via Windows PowerShell remoting, which allows a user to run any Windows PowerShell command on one or more remote computers, potentially indicating lateral movement.","title":"Incoming Execution via PowerShell Remoting","url":"https://feed.craftedsignal.io/briefs/2024-01-03-powershell-remoting/"}],"language":"en","title":"CraftedSignal Threat Feed — Remoting","version":"https://jsonfeed.org/version/1.1"}