PowerShell remoting(T1021.006)

MITRE ATT&CK

PowerShell remoting is a Windows feature that uses WinRM to allow remote command execution over an encrypted channel. It's widely used by system administrators for legitimate remote management, but attackers abuse it for lateral movement by executing malicious commands on target systems.

How Attackers Use It

Remote Command Execution:

Attackers leverage PowerShell remoting commands like Invoke-Command and Enter-PSSession to run malicious payloads on remote systems. For example, an adversary might execute:
```
Invoke-Command -ComputerName VICTIM -ScriptBlock {Start-Process C:\\malwarefolder\\malware.exe} -Credential $credentials
```
Stealth & Blending with Legitimate Activity:

Since PowerShell is present on all Windows systems and commonly used for day-to-day administration, its remote execution capabilities can be exploited without raising immediate suspicion.

Detection

⭐ Important Windows Event Logs

Event ID 4688: On the source system, this event logs the execution of powershell.exe (including command-line parameters) that may indicate the use of remoting commands.
Event IDs 4104 & 800: These log the executed PowerShell script blocks and commands, revealing details about the payload or actions taken during the remoting session.
Event ID 4624: On the target system, records successful network logons (Logon Type 3) indicative of remote session establishment.
Event ID 4688 (Target): Logs the execution of wsmprovhost.exe, the process that handles remote PowerShell commands on the target.

⭐ Important Sysmon Event IDs

Event ID 1 (Process Creation): Captures the spawning of powershell.exe and wsmprovhost.exe processes on both source and target machines.

Threat Hunting

Correlate Logs: Link process creation events (4688) on the source with authentication (4624) and wsmprovhost.exe execution on the target to trace the remote session.
Monitor for Anomalies: Identify PS remoting sessions that occur outside of normal administrative hours or are initiated by unexpected accounts.
Examine Command-Line Details: Review script block logs (4104 and 800) for signs of encoded commands or suspicious payloads that deviate from standard administrative tasks.