[Emerging-Sigs] SIGS: Powershell Lateral movement

Travis Green tgreen at emergingthreats.net
Wed Apr 10 03:32:10 HDT 2019 

Thanks Kevin, we'll get these in QA for today's release.

-T

On Wed, Apr 10, 2019 at 5:44 AM Kevin Ross via Emerging-sigs
<emerging-sigs at lists.emergingthreats.net> wrote:
>
> While sigs like |00|p|00|o|w.... exist for these I have found cases where it appears requiring a straight content match so adding these sigs for now to cover this.
>
> Kind Regards,
> Kevin Ross
>
> alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; classtype:bad-unknown; sid:135515; rev:1;)
>
> alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With No Profile Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-nop"; distance:0; classtype:bad-unknown; sid:135516; rev:1;)
>
> alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-w"; distance:0; content:"hidden"; nocase; within:17; classtype:bad-unknown; sid:135517; rev:1;)
>
> alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"exec"; nocase; distance:0; content:"bypass"; nocase; within:18; classtype:bad-unknown; sid:135518; rev:1;)
>
> alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-enc"; nocase; distance:0; classtype:bad-unknown; sid:135519; rev:1;)
>
> alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With NonInteractive Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-noni"; nocase; distance:0; classtype:bad-unknown; sid:135520; rev:1;)
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>


-- 
PGP:
travisgreen.net/tgreen at emergingthreats.net.asc
travisgreen.net/travis at travisgreen.net.asc

More information about the Emerging-sigs mailing list