CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
bad4429ad0367f9e00841faaf490cdba7c28ae9c
hayabusa/rules/alert-rules/sigma/sysmon_powershell_network_connection.yml
Tanaka Zakku 771c86edbf change rules dir structure. addlogon timeline.
2021-11-18 08:43:13 +09:00

86 lines
2.5 KiB
YAML
Raw Blame History

title: PowerShell Network Connections
author: Florian Roth
date: 2017/03/13
description: Detects a Powershell process that opens network connections - check for
suspicious target ports and target systems - adjust to your environment (e.g.
extend filters with company's ip range')
detection:
SELECTION_1:
EventID: 3
SELECTION_10:
DestinationIp: 172.19.*
SELECTION_11:
DestinationIp: 172.20.*
SELECTION_12:
DestinationIp: 172.21.*
SELECTION_13:
DestinationIp: 172.22.*
SELECTION_14:
DestinationIp: 172.23.*
SELECTION_15:
DestinationIp: 172.24.*
SELECTION_16:
DestinationIp: 172.25.*
SELECTION_17:
DestinationIp: 172.26.*
SELECTION_18:
DestinationIp: 172.27.*
SELECTION_19:
DestinationIp: 172.28.*
SELECTION_2:
Image: '*\powershell.exe'
SELECTION_20:
DestinationIp: 172.29.*
SELECTION_21:
DestinationIp: 172.30.*
SELECTION_22:
DestinationIp: 172.31.*
SELECTION_23:
DestinationIp: 127.0.0.1*
SELECTION_24:
DestinationIsIpv6: 'false'
SELECTION_25:
User: NT AUTHORITY\SYSTEM
SELECTION_26:
User: '*AUT*'
SELECTION_27:
User: '* NT*'
SELECTION_3:
Initiated: 'true'
SELECTION_4:
DestinationIsIpv6: 'false'
SELECTION_5:
DestinationIp: 10.*
SELECTION_6:
DestinationIp: 192.168.*
SELECTION_7:
DestinationIp: 172.16.*
SELECTION_8:
DestinationIp: 172.17.*
SELECTION_9:
DestinationIp: 172.18.*
condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and not
((SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23) and SELECTION_24
and SELECTION_25 and SELECTION_26 and SELECTION_27))
falsepositives:
- Administrative scripts
id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
level: low
logsource:
category: network_connection
product: windows
modified: 2021/06/14
references:
- https://www.youtube.com/watch?v=DLtJTxMWZ2o
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: sysmon_powershell_network_connection.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
Reference in New Issue View Git Blame Copy Permalink