
Summary
The analytic rule for detecting the use of the PowerShell Enable-PSRemoting cmdlet monitors for instances where this potentially malicious cmdlet is executed. PowerShell remoting enables administrators to run commands on remote machines; however, if an attacker gains access to this capability, they can control a compromised system remotely, escalating their ability to maneuver within the network. This detection specifically captures events logged through PowerShell Script Block Logging (EventCode 4104), allowing security teams to assess the legitimacy of the activity. The rule requires that PowerShell Script Block Logging be enabled on endpoints to function properly, and careful monitoring is necessary to minimize false positives due to legitimate administrative usage.
Categories
- Endpoint
Data Sources
- Pod
- Process
ATT&CK Techniques
- T1059.001
- T1059
Created: 2024-11-13