Potential Powershell ReverseShell Connection
Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.
Sigma rule (View on GitHub)
1title: Potential Powershell ReverseShell Connection
2id: edc2f8ae-2412-4dfd-b9d5-0c57727e70be
3status: stable
4description: Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.
5references:
6 - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
7 - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
8 - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1
9author: FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)
10date: 2021-03-03
11modified: 2023-04-05
12tags:
13 - attack.execution
14 - attack.t1059.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - OriginalFileName:
21 - 'PowerShell.EXE'
22 - 'pwsh.dll'
23 - Image|endswith:
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 selection_cli:
27 CommandLine|contains|all:
28 - ' Net.Sockets.TCPClient'
29 - '.GetStream('
30 - '.Write('
31 condition: all of selection_*
32falsepositives:
33 - In rare administrative cases, this function might be used to check network connectivity
34level: high
References
Related rules
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- Alternate PowerShell Hosts Pipe
- Bad Opsec Powershell Code Artifacts
- BloodHound Collection Files