
Summary
This detection rule is designed to identify potential malicious activity associated with PowerShell by monitoring the use of the 'TcpClient' class, which is commonly exploited for establishing reverse shells. The rule focuses specifically on PowerShell commands that utilize this class to create network connections that could facilitate unauthorized remote access to systems. Given its potential usage in exploit frameworks and known attacks, this rule can help security teams detect attempts to leverage PowerShell as a tool for executing commands on compromised systems remotely. Moreover, the rule references known scripts, such as the 'Invoke-PowerShellTcpOneLine' from the Nishang toolkit, which directly correlates with such attack patterns, allowing for timely mitigation and incident response. This detection is vital given the recent cybersecurity landscape, emphasizing the importance of monitoring PowerShell activities closely, as they can be indicative of larger infiltration and control operations against enterprise environments.
Categories
- Windows
- Endpoint
Data Sources
- Process
Created: 2021-03-03