SigmaHQ/rules/windows/sysmon/sysmon_powershell_network_connection.yml

44 lines
1.2 KiB
YAML
Raw Normal View History

title: PowerShell Network Connections
status: experimental
2018-07-10 14:13:41 +00:00
description: "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')"
author: Florian Roth
references:
- https://www.youtube.com/watch?v=DLtJTxMWZ2o
tags:
- attack.execution
- attack.t1086
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
Image: '*\powershell.exe'
filter:
DestinationIp:
- '10.*'
- '192.168.*'
- '172.16.*'
- '172.17.*'
- '172.18.*'
- '172.19.*'
- '172.20.*'
- '172.21.*'
- '172.22.*'
- '172.23.*'
- '172.24.*'
- '172.25.*'
- '172.26.*'
- '172.27.*'
- '172.28.*'
- '172.29.*'
- '172.30.*'
- '172.31.*'
- '127.0.0.1'
DestinationIsIpv6: 'false'
2017-03-13 18:09:29 +00:00
User: 'NT AUTHORITY\SYSTEM'
condition: selection and not filter
falsepositives:
- Administrative scripts
level: low