
Summary
This analytic detects the use of the `Enter-PSSession` command in PowerShell, which allows users to create interactive sessions with remote endpoints through the Windows Remote Management (WinRM) protocol. It utilizes PowerShell Script Block Logging (EventCode=4104) to find specific patterns in script blocks that indicate the execution of `Enter-PSSession` with a target computer. The detection is critical as it may highlight lateral movement or unauthorized access attempts by attackers aiming to execute commands remotely. If confirmed malicious, such actions could lead to further network compromise and loss of sensitive information. Deployment requires enabling PowerShell Script Block Logging across relevant endpoints.
Categories
- Endpoint
- Windows
Data Sources
- Pod
- Process
ATT&CK Techniques
- T1021
- T1021.006
Created: 2024-11-13