32 строки
1.2 KiB
YAML
32 строки
1.2 KiB
YAML
id: 87c1f90a-f868-4528-a9c1-15520249cae6
|
|
name: Nishang Reverse TCP Shell in Base64
|
|
description: |
|
|
'Looks for Base64-encoded commands associated with the Nishang reverse TCP shell.
|
|
Ref: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1'
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
tactics:
|
|
- Exfiltration
|
|
relevantTechniques:
|
|
- T1011
|
|
query: |
|
|
SecurityEvent
|
|
| where EventID == 4688
|
|
| where Process in("powershell.exe","powershell_ise.exe") and CommandLine contains "-e"
|
|
| mvexpand SS = split(CommandLine, " ")
|
|
| where SS matches regex "[A-Za-z0-9+/]{50,}[=]{0,2}"
|
|
| extend DecodeString = base64_decodestring(tostring(SS))
|
|
| extend FinalString = replace("\\0", "", DecodeString)
|
|
| where FinalString has "tcpclient" and FinalString contains "$" and (FinalString contains "invoke" or FinalString contains "iex")
|
|
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: AccountCustomEntity
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: HostCustomEntity |