splApache-2.0from splunk/security_content
GetNetTcpconnection with PowerShell Script Block
The following analytic detects the execution of the `Get-NetTcpconnection` PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet lists network connections on a system, which adversaries may use for situational awareness and Active Directory discovery. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker. If confirmed malicious, this behavior could allow an attacker to map the network, identify critical systems, and plan further attacks, potentially leading to data exfiltration or lateral movement within the network.
Quality
59
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/getnettcpconnection_with_powershell_script_block.yml
`powershell` EventCode=4104 (ScriptBlockText = "*Get-NetTcpconnection*")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `getnettcpconnection_with_powershell_script_block_filter`