[Bro] Detecting remote powershell
James Lay
jlay at slave-tothe-box.net
Fri Mar 9 12:54:50 PST 2018
So at the end of the day, unencrypted remote powershell goes over tcp
port 5985, WinRMI style:
POST /wsman?PSVersion=5.1.14393.1944 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/soap+xml;charset=UTF-8
Authorization: Kerberos
User-Agent: Microsoft WinRM Client
Content-Length: 0
Host: bleh:5985
HTTP/1.1 401
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: Kerberos
Date: Fri, 16 Feb 2018 18:17:04 GMT
Connection: close
Content-Length: 0
So any chance we can get 5985 added to the list of "http" ports to
parse, thank you.
James
On 2018-02-16 11:32, James Dickenson wrote:
> I don't believe I've seen any work in this regard for Bro, it would be great if someone invested the time to build something. I do know that there is the Attack Detection team that have been submitting a lot of powershell,empire,etc based rules to the ET ruleset for Snort/Suricata.
>
> -James D.
>
> On Wed, Feb 14, 2018 at 5:03 AM, James Lay <jlay at slave-tothe-box.net> wrote:
>
>> Hey All,
>>
>> Topic really...has anyone put some work/sigs into detecting remote powershell? Figured I'd start here first...thank you.
>>
>> James
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [1]
Links:
------
[1] http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180309/dbc19bd2/attachment.html
More information about the Bro
mailing list