Detectionmediumtest

Suspicious TCP Tunnel Via PowerShell Script

Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Fri Jul 08bd33d2aa-497e-4651-9893-5c5364646595windows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection:
        ScriptBlockText|contains|all:
            - '[System.Net.HttpWebRequest]'
            - 'System.Net.Sockets.TcpListener'
            - 'AcceptTcpClient'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Techniques

T1090 · Proxy

Rule Metadata

Rule ID

bd33d2aa-497e-4651-9893-5c5364646595

Status

test

Level

medium

Type

Detection

Created

Fri Jul 08

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml

Raw Tags

attack.command-and-controlattack.t1090

View on GitHub