Rules Contributing to PowerShell Remote Access Alert Type
The following rules are used to identify a Windows host executed a PowerShell script interacting with a remote host. Any one or more of these will trigger the PowerShell Remote Access Alert. Details for each rule can be viewed by clicking the More Details link in the description.
|
Title |
Description |
||||||||
|---|---|---|---|---|---|---|---|---|---|
|
PowerShell Remote Access |
A Windows host executed a PowerShell script interacting with a remote host. Investigate the script and the remote host to determine whether the script is malicious. If so, consider quarantining the host. More details
Rule IDQuery{'selection1': {'DetectionFlag': 2200}, 'selection2': [{'RemoteIP|re': '^169\\.254\\.169\\.254$'}, {'RemoteIP|re': '\\.0$'}], 'condition': 'selection1 and not selection2'} Detection FlagNote:
Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity80 Suppression Logic Based On
Additional Information
|
||||||||
|
PowerShell Remote Access (High Fidelity) |
A Windows host executed a PowerShell script interacting with a remote host. Investigate the script and the remote host to determine whether the script is malicious. If so, consider quarantining the host. More details
Rule IDQuery{'selection1': {'DetectionFlag': 2201}, 'selection2': [{'RemoteIP|re': '^169\\.254\\.169\\.254$'}, {'RemoteIP|re': '\\.0$'}], 'condition': 'selection1 and not selection2'} Detection FlagNote:
Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity80 Suppression Logic Based On
Additional Information
|
