Navigation :

Getnettcpconnection With Powershell Script Block

Description

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-NetTcpconnection commandlet. This commandlet is used to return a listing of network connections on a compromised system. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery.

Help
Getnettcpconnection With Powershell Script Block Help To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#ConfiguremoduleloggingforPowerShell.

Help

Getnettcpconnection With Powershell Script Block Help

To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#ConfiguremoduleloggingforPowerShell.

Search
`powershell` EventCode=4104 (Message = "Get-NetTcpconnection") \| stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User \| `security_content_ctime(firstTime)` \| `getnettcpconnection_with_powershell_script_block_filter` Open in Search

Search

`powershell` EventCode=4104 (Message = "*Get-NetTcpconnection*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `getnettcpconnection_with_powershell_script_block_filter`

Open in Search