Recon Information for Export with PowerShell
Once established within a system or network, an adversary may use automated techniques for collecting internal data
Sigma rule (View on GitHub)
1title: Recon Information for Export with PowerShell
2id: a9723fcc-881c-424c-8709-fd61442ab3c3
3status: test
4description: Once established within a system or network, an adversary may use automated techniques for collecting internal data
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
7author: frack113
8date: 2021-07-30
9modified: 2022-12-25
10tags:
11 - attack.collection
12 - attack.t1119
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection_action:
19 ScriptBlockText|contains:
20 - 'Get-Service '
21 - 'Get-ChildItem '
22 - 'Get-Process '
23 selection_redirect:
24 ScriptBlockText|contains: '> $env:TEMP\'
25 condition: all of selection*
26falsepositives:
27 - Unknown
28level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Automated Collection Command PowerShell
- Automated Collection Command Prompt
- Recon Information for Export with Command Prompt
- 7Zip Compressing Dump Files
- ADFS Database Named Pipe Connection By Uncommon Tool