Getnettcpconnection With Powershell Script Block
Getnettcpconnection With Powershell Script Block
Description
The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-NetTcpconnection
commandlet. This commandlet is used to return a listing of network connections on a compromised system. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery.
Help |
---|
Getnettcpconnection With Powershell Script Block HelpTo successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#ConfiguremoduleloggingforPowerShell. |
Search |
---|
Open in Search |