PowerShell Script With File Hostname Resolving Capabilities

Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.

Sigma rule (View on GitHub)

 1title: PowerShell Script With File Hostname Resolving Capabilities
 2id: fbc5e92f-3044-4e73-a5c6-1c4359b539de
 3status: test
 4description: Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.
 5references:
 6    - https://www.fortypoundhead.com/showcontent.asp?artid=24022
 7    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/05/05
10tags:
11    - attack.exfiltration
12    - attack.t1020
13logsource:
14    product: windows
15    category: ps_script
16    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
17detection:
18    selection:
19        ScriptBlockText|contains|all:
20            - 'Get-content '
21            - 'foreach'
22            - '[System.Net.Dns]::GetHostEntry'
23            - 'Out-File'
24    condition: selection
25falsepositives:
26    - The same functionality can be implemented by admin scripts, correlate with name and creator
27level: medium

References

Related rules

to-top