Skip to content

Hide Navigation Hide TOC

Potential Powershell ReverseShell Connection (edc2f8ae-2412-4dfd-b9d5-0c57727e70be)

Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.

Cluster A Galaxy A Cluster B Galaxy B Level
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Potential Powershell ReverseShell Connection (edc2f8ae-2412-4dfd-b9d5-0c57727e70be) Sigma-Rules 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2