Detecting remote powershell

Hey All,

Topic really…has anyone put some work/sigs into detecting remote powershell? Figured I’d start here first…thank you.


I don’t believe I’ve seen any work in this regard for Bro, it would be great if someone invested the time to build something. I do know that there is the Attack Detection team that have been submitting a lot of powershell,empire,etc based rules to the ET ruleset for Snort/Suricata.

-James D.

So at the end of the day, unencrypted remote powershell goes over tcp port 5985, WinRMI style:

POST /wsman?PSVersion=5.1.14393.1944 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/soap+xml;charset=UTF-8
Authorization: Kerberos
User-Agent: Microsoft WinRM Client
Content-Length: 0
Host: bleh:5985

HTTP/1.1 401
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: Kerberos
Connection: close
Content-Length: 0

So any chance we can get 5985 added to the list of “http” ports to parse, thank you.


I’d like to see this as well. Though most of the data we observe is encrypted, previously I’ve created events or pushing to a new log where observed.

Such as…

We have had good success combining ja 3 TLS fingerprinting with server certificate information to identify anomalous traffic.

No need. Bro should automatically detect HTTP and add the analyzer. If it isn't working correctly then I think we can view that as a bug.


Ah...ok well there it is...I'll get a bug report going as I see the connection in conn.log, but nothing in http.log...thanks Seth!


And disregard :smiley: Totally seeing this:

2018-02-16T11:19:09-0700 CUve5yhDRpb6vE7u3 x.x.x.x 58754 x.x.x.x 5985 tcp http 109.998204 407 616 SF T T 0 ShADadFf 7 699 4 788 (empty) - -mac mac

2018-02-16T11:19:09-0700 FMF4K53EV8nQTRfKuh x.x.x.x x.x.x.x CUve5yhDRpb6vE7u3 HTTP 0 SHA1,MD5 text/plain - 0.000000 T T 198 198 0 0 F - d34f7af5e7fd60da9b7eee0fa1f7a569 87c8ce87b9efa3f2e02f9327adc38e0fe25fcc49 - - -

Whew. Everytime I see stuff like that I start getting nervous.


If you do some baselining in your environment, JA3 can be very successful at detecting Powershell.


Thanks Anthony…as luck would have it I’d already installed it on all my sensors so I’ll dig a little deeper into leveraging JA3 on the detection side…thanks again.