Potential Powershell ReverseShell Connection

 1title: Potential Powershell ReverseShell Connection
 2id: edc2f8ae-2412-4dfd-b9d5-0c57727e70be
 3status: stable
 4description: Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.
 5references:
 6    - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
 7    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
 8    - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1
 9author: FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)
10date: 2021/03/03
11modified: 2023/04/05
12tags:
13    - attack.execution
14    - attack.t1059.001
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - OriginalFileName:
21              - 'PowerShell.EXE'
22              - 'pwsh.dll'
23        - Image|endswith:
24              - '\powershell.exe'
25              - '\pwsh.exe'
26    selection_cli:
27        CommandLine|contains|all:
28            - ' Net.Sockets.TCPClient'
29            - '.GetStream('
30            - '.Write('
31    condition: all of selection_*
32falsepositives:
33    - In rare administrative cases, this function might be used to check network connectivity
34level: high

References

• Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities

  

  [UPDATE] March 8, 2021 – Since original publication of this blog, Volexity has now observed that cyber espionage operations using the SSRF vulnerability CVE-2021-26855 started occurring on January 3, 2021, three days earlier than initially posted. Volexity is seeing active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal e-mail and compromise networks. These attacks appear to have started as early as January 6, 2021. In January 2021, through its Network Security Monitoring service, Volexity detected anomalous activity from two of its customers' Microsoft Exchange servers. Volexity identified a large amount of data being sent to IP addresses it believed were not tied to legitimate users. A closer inspection of the IIS logs from the Exchange servers revealed rather alarming results. The logs showed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access (OWA). It was initially suspected the […]

  
  Read More

• https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

  
  Read More

• nishang/Shells/Invoke-PowerShellTcpOneLine.ps1 at 414ee1104526d7057f9adaeee196d91ae447283e · samratashok/nishang

  

  Nishang - Offensive PowerShell for red team, penetration testing and offensive security. - samratashok/nishang

  
  Read More

Related rules

• Bad Opsec Powershell Code Artifacts
• ConvertTo-SecureString Cmdlet Usage Via CommandLine
• HackTool - Bloodhound/Sharphound Execution
• HackTool - CrackMapExec PowerShell Obfuscation
• Invoke-Obfuscation CLIP+ Launcher - Security