rules/windows/sysmon/sysmon_powershell_network_connection.yml

title: PowerShell Network Connections
id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
status: experimental
description: Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g.
    extend filters with company's ip range')
author: Florian Roth
references:
    - https://www.youtube.com/watch?v=DLtJTxMWZ2o
tags:
    - attack.execution
    - attack.t1086
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 3
        Image: '*\powershell.exe'
        Initiated: 'true'
    filter:
        DestinationIp: 
            - '10.*'
            - '192.168.*'
            - '172.16.*'
            - '172.17.*'
            - '172.18.*'
            - '172.19.*'
            - '172.20.*'
            - '172.21.*'
            - '172.22.*'
            - '172.23.*'
            - '172.24.*'
            - '172.25.*'
            - '172.26.*'
            - '172.27.*'
            - '172.28.*'
            - '172.29.*'
            - '172.30.*'
            - '172.31.*'
            - '127.0.0.1'
        DestinationIsIpv6: 'false'
        User: 'NT AUTHORITY\SYSTEM'
    condition: selection and not filter
falsepositives:
    - Administrative scripts
level: low
Rule: PowerShell with network connections 2017-03-13 13:57:41 +01:00			`title: PowerShell Network Connections`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 1f21ec3f-810d-4b0e-8045-322202e22b4b`
Rule: PowerShell with network connections 2017-03-13 13:57:41 +01:00			`status: experimental`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`description: Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g.`
			`extend filters with company's ip range')`
Rule: PowerShell with network connections 2017-03-13 13:57:41 +01:00			`author: Florian Roth`
Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00			`references:`
			`- https://www.youtube.com/watch?v=DLtJTxMWZ2o`
Update sysmon_powershell_network_connection.yml 2018-10-09 19:10:17 -05:00			`tags:`
			`- attack.execution`
			`- attack.t1086`
Rule: PowerShell with network connections 2017-03-13 13:57:41 +01:00			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection:`
			`EventID: 3`
			`Image: '*\powershell.exe'`
sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives 2019-09-25 11:11:22 -04:00			`Initiated: 'true'`
Restrict rule to non-private IP ranges only 2017-03-13 18:45:15 +01:00			`filter:`
			`DestinationIp:`
			`- '10.*'`
			`- '192.168.*'`
Corrected class B private IP range to prevent false negatives 2019-01-04 12:50:41 +03:00			`- '172.16.*'`
			`- '172.17.*'`
			`- '172.18.*'`
			`- '172.19.*'`
			`- '172.20.*'`
			`- '172.21.*'`
			`- '172.22.*'`
			`- '172.23.*'`
			`- '172.24.*'`
			`- '172.25.*'`
			`- '172.26.*'`
			`- '172.27.*'`
			`- '172.28.*'`
			`- '172.29.*'`
			`- '172.30.*'`
			`- '172.31.*'`
Restrict rule to non-private IP ranges only 2017-03-13 18:45:15 +01:00			`- '127.0.0.1'`
			`DestinationIsIpv6: 'false'`
Reduced to user accounts 2017-03-13 19:09:29 +01:00			`User: 'NT AUTHORITY\SYSTEM'`
Restrict rule to non-private IP ranges only 2017-03-13 18:45:15 +01:00			`condition: selection and not filter`
Rule: PowerShell with network connections 2017-03-13 13:57:41 +01:00			`falsepositives:`
			`- Administrative scripts`
			`level: low`