Name:GetNetTcpconnection with PowerShell Script Block id:091712ff-b02a-4d43-82ed-34765515d95d version:6 date:2024-11-13 author:Mauricio Velazco, Splunk status:production type:Hunting Description:The following analytic detects the execution of the `Get-NetTcpconnection` PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet lists network connections on a system, which adversaries may use for situational awareness and Active Directory discovery. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker. If confirmed malicious, this behavior could allow an attacker to map the network, identify critical systems, and plan further attacks, potentially leading to data exfiltration or lateral movement within the network. Data_source:
-Powershell Script Block Logging 4104
search:`powershell` EventCode=4104 (ScriptBlockText = "*Get-NetTcpconnection*") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getnettcpconnection_with_powershell_script_block_filter`
how_to_implement:To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives:Administrators or power users may use this PowerShell commandlet for troubleshooting. References: -https://attack.mitre.org/techniques/T1049/ -https://docs.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2019-ps drilldown_searches:
: tags: analytic_story: - 'Active Directory Discovery' asset_type:Endpoint mitre_attack_id: - 'T1049' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint
