title: PowerShell Network Connections
author: Florian Roth
date: 2017/03/13
description: Detects a Powershell process that opens network connections - check for
    suspicious target ports and target systems - adjust to your environment (e.g.
    extend filters with company's ip range')
detection:
    SELECTION_1:
        EventID: 3
    SELECTION_10:
        DestinationIp: 172.19.*
    SELECTION_11:
        DestinationIp: 172.20.*
    SELECTION_12:
        DestinationIp: 172.21.*
    SELECTION_13:
        DestinationIp: 172.22.*
    SELECTION_14:
        DestinationIp: 172.23.*
    SELECTION_15:
        DestinationIp: 172.24.*
    SELECTION_16:
        DestinationIp: 172.25.*
    SELECTION_17:
        DestinationIp: 172.26.*
    SELECTION_18:
        DestinationIp: 172.27.*
    SELECTION_19:
        DestinationIp: 172.28.*
    SELECTION_2:
        Image: '*\powershell.exe'
    SELECTION_20:
        DestinationIp: 172.29.*
    SELECTION_21:
        DestinationIp: 172.30.*
    SELECTION_22:
        DestinationIp: 172.31.*
    SELECTION_23:
        DestinationIp: 127.0.0.1*
    SELECTION_24:
        DestinationIsIpv6: 'false'
    SELECTION_25:
        User: NT AUTHORITY\SYSTEM
    SELECTION_26:
        User: '*AUT*'
    SELECTION_27:
        User: '* NT*'
    SELECTION_3:
        Initiated: 'true'
    SELECTION_4:
        DestinationIsIpv6: 'false'
    SELECTION_5:
        DestinationIp: 10.*
    SELECTION_6:
        DestinationIp: 192.168.*
    SELECTION_7:
        DestinationIp: 172.16.*
    SELECTION_8:
        DestinationIp: 172.17.*
    SELECTION_9:
        DestinationIp: 172.18.*
    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
        ((SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
        or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
        or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23) and SELECTION_24
        and SELECTION_25 and SELECTION_26 and SELECTION_27))
falsepositives:
- Administrative scripts
id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
level: low
logsource:
    category: network_connection
    product: windows
modified: 2021/06/14
references:
- https://www.youtube.com/watch?v=DLtJTxMWZ2o
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: sysmon_powershell_network_connection.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection