The reverse-shell-nishang rule detects adversaries using Nishang PowerShell modules to establish a reverse shell, leveraging common attack patterns to exfiltrate data or maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise early and mitigate lateral movement risks.
KQL Query
DeviceProcessEvents | where FileName has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")
| where ProcessCommandLine contains "$client = New-Object System.Net.Sockets.TCPClient"
id: 7490e437-edc2-40b3-87fe-45b736593deb
name: reverse-shell-nishang
description: |
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:
1. CVE-2021-26855
2. CVE-2021-26857
3. CVE-2021-26858
4. CVE-2021-27065
The following query finds evidence of a reverse shell being loaded using a technique associated with the Nishang penetration testing framework. This might indicate an attacker has remote access to the device.
More queries related to this threat can be found under the See also section of this page.
Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
- Persistence
- Exfiltration
query: |
DeviceProcessEvents | where FileName has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")
| where ProcessCommandLine contains "$client = New-Object System.Net.Sockets.TCPClient"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: PowerShell Remoting (PSRemoting) administrative task
Description: A system administrator uses PowerShell Remoting to execute commands on remote servers as part of routine maintenance.
Filter/Exclusion: process.parent_process_name:*Windows PowerShell* OR process.command_line:*Invoke-Command*
Scenario: Scheduled Task Execution
Description: A legitimate scheduled task runs a PowerShell script that connects to a remote server for data synchronization.
Filter/Exclusion: process.command_line:*schtasks.exe* OR process.parent_process_name:*Task Scheduler*
Scenario: Nishang PowerShell Obfuscation for Admin Tasks
Description: An admin uses Nishang modules (e.g., Invoke-Nishang or IEX with obfuscated payloads) to perform a legitimate system check or patching task.
Filter/Exclusion: process.command_line:*Nishang* OR process.parent_process_name:*Windows PowerShell*
Scenario: Just-In-Time (JIT) VM Provisioning with PowerShell
Description: A cloud admin provisions a new virtual machine using a PowerShell script that connects to a remote management service.
Filter/Exclusion: process.command_line:*New-VirtualMachine* OR process.parent_process_name:*Azure PowerShell*
Scenario: Logon Script Execution with PowerShell
Description: A user’s logon script runs a PowerShell command that connects to a central management server for policy updates.
Filter/Exclusion: process.command_line:*LogonScript.ps1* OR process.parent_process_name:*Logon*