Remote PowerShell Session (PS Module)

Severity: high
Author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
Source: upstream

Detects remote PowerShell sessions

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059.001` Command and Scripting Interpreter: PowerShell
Lateral Movement	`T1021.006` Remote Services: Windows Remote Management

Event coverage

Provider	Event ID	Title
PowerShell	4103	Payload Context: ContextInfo User Data: UserData.

Stages and Predicates

Stage 1: `selection`

ContextInfo|contains: ' = ServerRemoteHost '
ContextInfo|contains: wsmprovhost.exe

Stage 2: `not 1 of filter_pwsh_archive`

ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`ContextInfo`	match	`= ServerRemoteHost` `\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1` `wsmprovhost.exe`