PowerShell Script With File Hostname Resolving Capabilities
Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.
Sigma rule (View on GitHub)
1title: PowerShell Script With File Hostname Resolving Capabilities
2id: fbc5e92f-3044-4e73-a5c6-1c4359b539de
3status: test
4description: Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.
5references:
6 - https://www.fortypoundhead.com/showcontent.asp?artid=24022
7 - https://labs.withsecure.com/publications/fin7-target-veeam-servers
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-05-05
10tags:
11 - attack.exfiltration
12 - attack.t1020
13logsource:
14 product: windows
15 category: ps_script
16 definition: bade5735-5ab0-4aa7-a642-a11be0e40872
17detection:
18 selection:
19 ScriptBlockText|contains|all:
20 - 'Get-content '
21 - 'foreach'
22 - '[System.Net.Dns]::GetHostEntry'
23 - 'Out-File'
24 condition: selection
25falsepositives:
26 - The same functionality can be implemented by admin scripts, correlate with name and creator
27level: medium
References
Related rules
- AWS RDS Master Password Change
- PowerShell Script With File Upload Capabilities
- Restore Public AWS RDS Instance
- Suspicious Inbox Forwarding
- Suspicious BlackCat-Related Exfiltration Command