[Bro] Detecting remote powershell

Patrick Kelley patrick.kelley at criticalpathsecurity.com
Fri Mar 9 13:27:16 PST 2018 

I'd like to see this as well.  Though most of the data we observe is
encrypted, previously I've created events or pushing to a new log where
observed.

Such as...

#####

const winrm_user_agent =
  /WinRM.*/;
}


const winrm_port: set[port] = {
        5985/tcp,
        5986/tcp,
        };


event http_header (c: connection, is_orig: bool, name: string, value:
string) &priority=5
        {
          if ( ! c?$http )
          return;

        if ( ! c$http?$user_agent )
        return;

#####


On Fri, Mar 9, 2018 at 3:54 PM, James Lay <jlay at slave-tothe-box.net> wrote:

> So at the end of the day, unencrypted remote powershell goes over tcp port
> 5985, WinRMI style:
>
>
>
> POST /wsman?PSVersion=5.1.14393.1944 HTTP/1.1
> Connection: Keep-Alive
> Content-Type: application/soap+xml;charset=UTF-8
> Authorization: Kerberos
> User-Agent: Microsoft WinRM Client
> Content-Length: 0
> Host: bleh:5985
>
> HTTP/1.1 401
> Server: Microsoft-HTTPAPI/2.0
> WWW-Authenticate: Negotiate
> WWW-Authenticate: Kerberos
> Date: Fri, 16 Feb 2018 18:17:04 GMT
> Connection: close
> Content-Length: 0
>
>
>
> So any chance we can get 5985 added to the list of "http" ports to parse,
> thank you.
>
> James
>
>
> On 2018-02-16 11:32, James Dickenson wrote:
>
>
>
> I don't believe I've seen any work in this regard for Bro, it would be
> great if someone invested the time to build something.  I do know that
> there is the Attack Detection team that have been submitting a lot of
> powershell,empire,etc based rules to the ET ruleset for Snort/Suricata.
>
>
> -James D.
>
>
> On Wed, Feb 14, 2018 at 5:03 AM, James Lay <jlay at slave-tothe-box.net>
> wrote:
>
>> Hey All,
>>
>> Topic really...has anyone put some work/sigs into detecting remote
>> powershell?  Figured I'd start here first...thank you.
>>
>> James
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 

*Patrick Kelley, CISSP, C|EH, ITIL*
*CTO*
patrick.kelley at criticalpathsecurity.com
(o) 770-224-6482
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180309/58a35367/attachment.html

More information about the Bro mailing list