28 строки
1.1 KiB
YAML
28 строки
1.1 KiB
YAML
id: a2b58512-1298-4a25-a4c7-88ddfed78b0d
|
|
name: Invoke-PowerShellTcpOneLine Usage (Normalized Process Events)
|
|
description: |
|
|
'Invoke-PowerShellTcpOneLine is a PowerShell script to create a simple and small reverse shell. It can be abused by attackers to exfiltrate data. This query looks for command line activity similar to Invoke-PowerShellTcpOneLine.'
|
|
requiredDataConnectors: []
|
|
tactics:
|
|
- Exfiltration
|
|
relevantTechniques:
|
|
- T1011
|
|
query: |
|
|
imProcessCreate
|
|
| where Process has_any ("powershell.exe", "PowerShell_ISE.exe", "cmd.exe")
|
|
| where CommandLine has "$client = New-Object System.Net.Sockets.TCPClient"
|
|
| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Dvc, IPCustomEntity = DvcIpAddr
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: AccountCustomEntity
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: HostCustomEntity
|
|
- entityType: IP
|
|
fieldMappings:
|
|
- identifier: Address
|
|
columnName: IPCustomEntity
|