Threat Huntlowtest
Network Connection Initiated By PowerShell Process
Detects a network connection that was initiated from a PowerShell process. Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. Use this rule as a basis for hunting for anomalies.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Mon Mar 13Updated Wed Mar 131f21ec3f-810d-4b0e-8045-322202e22b4bwindows
Hunting Hypothesis
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic3 selectors
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
Initiated: 'true'
filter_main_local_ip:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '169.254.0.0/16' # link-local address
- '172.16.0.0/12'
- '192.168.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_main_msrange:
DestinationIp|cidr:
- '20.184.0.0/13'
- '51.103.210.0/23'
condition: selection and not 1 of filter_main_*False Positives
Administrative scripts
Microsoft IP range
Additional filters are required. Adjust to your environment (e.g. extend filters with company's ip range')
References
MITRE ATT&CK
Rule Metadata
Rule ID
1f21ec3f-810d-4b0e-8045-322202e22b4b
Status
test
Level
low
Type
Threat Hunt
Created
Mon Mar 13
Modified
Wed Mar 13
Path
rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml
Raw Tags
attack.executionattack.t1059.001detection.threat-hunting