[Emerging-Sigs] SIG Update: PowerShell SMB Lateral Movement Update
Travis Green
tgreen at emergingthreats.net
Tue Apr 16 08:38:28 HDT 2019
Thanks Kevin, I'll get them updated / added.
On Fri, Apr 12, 2019 at 6:23 AM Kevin Ross via Emerging-sigs
<emerging-sigs at lists.emergingthreats.net> wrote:
>
> Hi,
>
> Saw an edge case FP where some software management software seemed to be accessing or interacting with powershell folder but not powershell specifically but sig fired. So this fix is to increase accuracy by accounting for say "powershell -enc" or "powershell.exe -enc". The possible false negative introduced though becomes powershell in a variable which is possible but maybe not used much along lines of "$bad = powershell, $command=-enc, $bad $command". Up to you if you want to make these changes for edge FP case over introducing a potential FN.
>
> Kind Regards,
> Kevin
>
> # Updated
> alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00 20 00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; classtype:trojan-activity; sid:2025719; rev:2; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)
>
> # New (could be regexed into above sig instead if you don't want another so /powershell(\x00\x20\x00|\x00\x2E\x00e\x00x\x00e\x00/
> alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|.|00|e|00|x|00|e|00|"; nocase; distance:0; classtype:trojan-activity; sid:166111; rev:1;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>
--
PGP:
travisgreen.net/tgreen at emergingthreats.net.asc
travisgreen.net/travis at travisgreen.net.asc
More information about the Emerging-sigs
mailing list