Techniques
Sample rules
Windows PowerShell Script TabExpansion Direct Call
- source: splunk
- technicques:
- T1059.001
- T1129
Description
Detects specific indicators associated with the execution of the TabExpansion internal function in PowerShell. Calling this function directly is not normal and can be indicative of malicious activity such as TabShell. Due to the way PowerShell internals work it can be used in conjunction with directory transversal to load any PowerShell functions even in a sandboxed session. False positives could include legitimate usage of the TabExpansion function but calling it directly is very rare.
Detection logic
`powershell`
EventID="4104"
ScriptBlockText="*$lastWord*"
ScriptBlockText="*$_val=' + $_expression*"
ScriptBlockText="*function Write-Members*"
| fillnull
| stats count min(_time) as firstTime
max(_time) as lastTime
by Computer EventID ScriptBlockText signature signature_id user_id vendor_product Guid
Opcode Name Path ProcessID ScriptBlockId
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_script_tabexpansion_direct_call_filter`