[Emerging-Sigs] SIGS: Powershell Lateral movement

Kevin Ross kevross33 at googlemail.com
Wed Apr 10 02:43:46 HDT 2019 

While sigs like |00|p|00|o|w.... exist for these I have found cases where
it appears requiring a straight content match so adding these sigs for now
to cover this.

Kind Regards,
Kevin Ross

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over
SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB";
depth:8; content:"powershell"; nocase; distance:0; classtype:bad-unknown;
sid:135515; rev:1;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With
No Profile Argument Over SMB - Likely Lateral Movement";
flow:established,to_server; content:"SMB"; depth:8; content:"powershell";
nocase; distance:0; content:"-nop"; distance:0; classtype:bad-unknown;
sid:135516; rev:1;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With
Hidden Window Argument Over SMB - Likely Lateral Movement";
flow:established,to_server; content:"SMB"; depth:8; content:"powershell";
nocase; distance:0; content:"-w"; distance:0; content:"hidden"; nocase;
within:17; classtype:bad-unknown; sid:135517; rev:1;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With
Execution Bypass Argument Over SMB - Likely Lateral Movement";
flow:established,to_server; content:"SMB"; depth:8; content:"powershell";
nocase; distance:0; content:"exec"; nocase; distance:0; content:"bypass";
nocase; within:18; classtype:bad-unknown; sid:135518; rev:1;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With
Encoded Argument Over SMB - Likely Lateral Movement";
flow:established,to_server; content:"SMB"; depth:8; content:"powershell";
nocase; distance:0; content:"-enc"; nocase; distance:0;
classtype:bad-unknown; sid:135519; rev:1;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With
NonInteractive Argument Over SMB - Likely Lateral Movement";
flow:established,to_server; content:"SMB"; depth:8; content:"powershell";
nocase; distance:0; content:"-noni"; nocase; distance:0;
classtype:bad-unknown; sid:135520; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190410/0ed5bdff/attachment.html>

More information about the Emerging-sigs mailing list