Suspicious TCP Tunnel Via PowerShell Script
Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity
Sigma rule (View on GitHub)
1title: Suspicious TCP Tunnel Via PowerShell Script
2id: bd33d2aa-497e-4651-9893-5c5364646595
3status: test
4description: Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity
5references:
6 - https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/07/08
9tags:
10 - attack.command_and_control
11 - attack.t1090
12logsource:
13 product: windows
14 category: ps_script
15 definition: 'Requirements: Script Block Logging must be enabled'
16detection:
17 selection:
18 ScriptBlockText|contains|all:
19 - '[System.Net.HttpWebRequest]'
20 - 'System.Net.Sockets.TcpListener'
21 - 'AcceptTcpClient'
22 condition: selection
23falsepositives:
24 - Unknown
25level: medium
References
-
Collection of PowerShell scripts. Contribute to Arno0x/PowerShellScripts development by creating an account on GitHub.
Read More
Related rules
- Communication To Ngrok Tunneling Service - Linux
- Ngrok Usage with Remote Desktop Service
- Malicious IP Address Sign-In Failure Rate
- Malicious IP Address Sign-In Suspicious
- Sign-In From Malware Infected IP