Detectionmediumtest

PowerShell Script With File Hostname Resolving Capabilities

Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Fri May 05fbc5e92f-3044-4e73-a5c6-1c4359b539dewindows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

bade5735-5ab0-4aa7-a642-a11be0e40872

Detection Logic

detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Get-content '
            - 'foreach'
            - '[System.Net.Dns]::GetHostEntry'
            - 'Out-File'
    condition: selection

False Positives

The same functionality can be implemented by admin scripts, correlate with name and creator

References

MITRE ATT&CK

Tactics

TA0010 · Exfiltration

Techniques

T1020 · Automated Exfiltration

Rule Metadata

Rule ID

fbc5e92f-3044-4e73-a5c6-1c4359b539de

Status

test

Level

medium

Type

Detection

Created

Fri May 05

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml

Raw Tags

attack.exfiltrationattack.t1020

View on GitHub