← Back to Explore
sigmahighTTP
Potential Powershell ReverseShell Connection
Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.
Detection Query
selection_img:
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
- Image|endswith:
- \powershell.exe
- \pwsh.exe
selection_cli:
CommandLine|contains|all:
- " Net.Sockets.TCPClient"
- .GetStream(
- .Write(
condition: all of selection_*
Author
FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)
Created
2021-03-03
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1
Tags
attack.executionattack.t1059.001
Raw Content
title: Potential Powershell ReverseShell Connection
id: edc2f8ae-2412-4dfd-b9d5-0c57727e70be
status: stable
description: Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.
references:
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1
author: FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)
date: 2021-03-03
modified: 2023-04-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
selection_cli:
CommandLine|contains|all:
- ' Net.Sockets.TCPClient'
- '.GetStream('
- '.Write('
condition: all of selection_*
falsepositives:
- In rare administrative cases, this function might be used to check network connectivity
level: high