SigmaHQ/rules/windows/sysmon/sysmon_powershell_network_connection.yml

title: PowerShell Network Connections
status: experimental
description: "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')"  
author: Florian Roth
references:
    - https://www.youtube.com/watch?v=DLtJTxMWZ2o
tags:
    - attack.execution
    - attack.t1086
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 3
        Image: '*\powershell.exe'
    filter:
        DestinationIp: 
            - '10.*'
            - '192.168.*'
            - '172.16.*'
            - '172.17.*'
            - '172.18.*'
            - '172.19.*'
            - '172.20.*'
            - '172.21.*'
            - '172.22.*'
            - '172.23.*'
            - '172.24.*'
            - '172.25.*'
            - '172.26.*'
            - '172.27.*'
            - '172.28.*'
            - '172.29.*'
            - '172.30.*'
            - '172.31.*'
            - '127.0.0.1'
        DestinationIsIpv6: 'false'
        User: 'NT AUTHORITY\SYSTEM'
    condition: selection and not filter
falsepositives:
    - Administrative scripts
level: low
Rule: PowerShell with network connections 2017-03-13 12:57:41 +00:00			`title: PowerShell Network Connections`
			`status: experimental`
Fixed typo 2018-07-10 14:13:41 +00:00			`description: "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')"`
Rule: PowerShell with network connections 2017-03-13 12:57:41 +00:00			`author: Florian Roth`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- https://www.youtube.com/watch?v=DLtJTxMWZ2o`
Update sysmon_powershell_network_connection.yml 2018-10-10 00:10:17 +00:00			`tags:`
			`- attack.execution`
			`- attack.t1086`
Rule: PowerShell with network connections 2017-03-13 12:57:41 +00:00			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection:`
			`EventID: 3`
			`Image: '*\powershell.exe'`
Restrict rule to non-private IP ranges only 2017-03-13 17:45:15 +00:00			`filter:`
			`DestinationIp:`
			`- '10.*'`
			`- '192.168.*'`
Corrected class B private IP range to prevent false negatives 2019-01-04 09:50:41 +00:00			`- '172.16.*'`
			`- '172.17.*'`
			`- '172.18.*'`
			`- '172.19.*'`
			`- '172.20.*'`
			`- '172.21.*'`
			`- '172.22.*'`
			`- '172.23.*'`
			`- '172.24.*'`
			`- '172.25.*'`
			`- '172.26.*'`
			`- '172.27.*'`
			`- '172.28.*'`
			`- '172.29.*'`
			`- '172.30.*'`
			`- '172.31.*'`
Restrict rule to non-private IP ranges only 2017-03-13 17:45:15 +00:00			`- '127.0.0.1'`
			`DestinationIsIpv6: 'false'`
Reduced to user accounts 2017-03-13 18:09:29 +00:00			`User: 'NT AUTHORITY\SYSTEM'`
Restrict rule to non-private IP ranges only 2017-03-13 17:45:15 +00:00			`condition: selection and not filter`
Rule: PowerShell with network connections 2017-03-13 12:57:41 +00:00			`falsepositives:`
			`- Administrative scripts`
			`level: low`