[Emerging-Sigs] SIG Update: PowerShell SMB Lateral Movement Update

[Kevin Ross]

Hi,

Saw an edge case FP where some software management software seemed to be
accessing or interacting with powershell folder but not powershell
specifically but sig fired. So this fix is to increase accuracy by
accounting for say "powershell -enc" or "powershell.exe -enc". The possible
false negative introduced though becomes powershell in a variable which is
possible but maybe not used much along lines of "$bad = powershell,
$command=-enc, $bad $command". Up to you if you want to make these changes
for edge FP case over introducing a potential FN.

Kind Regards,
Kevin

# Updated
alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over
SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB";
depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00 20
00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY;
classtype:trojan-activity; sid:2025719; rev:2; metadata:attack_target
SMB_Client, deployment Perimeter, deployment Internal, signature_severity
Major, created_at 2018_07_17, performance_impact Low, updated_at
2018_07_18;)

# New (could be regexed into above sig instead if you don't want another so
/powershell(\x00\x20\x00|\x00\x2E\x00e\x00x\x00e\x00/
alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over
SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB";
depth:8;
content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|.|00|e|00|x|00|e|00|";
nocase; distance:0; classtype:trojan-activity; sid:166111; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190412/e7ae423d/attachment.html>