From b74563957b0ff86c565bad4138758365d816935a Mon Sep 17 00:00:00 2001 From: x90slide <45627103+BinFault@users.noreply.github.com> Date: Sat, 20 Dec 2025 22:26:18 +0530 Subject: [PATCH 1/5] Create Powershell.yml Powershell can be used for scanning open ports from compromized windows system. --- yml/OSBinaries/Powershell.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 yml/OSBinaries/Powershell.yml diff --git a/yml/OSBinaries/Powershell.yml b/yml/OSBinaries/Powershell.yml new file mode 100644 index 00000000..7c68256d --- /dev/null +++ b/yml/OSBinaries/Powershell.yml @@ -0,0 +1,16 @@ +--- +Name: Powershell.exe +Description: Windows PowerShell +Author: x90slide +Created: 2025-12-20 +Commands: + - Command: | % {echo ((new-object Net.Sockets.TcpClient).Connect("",$_)) "Port $_ is open"} 2>$null + # Port range can be defined via 1..1024 and multiple ports can be defined via 80,443 + Description: Scans the IP address for open ports. + Usecase: Network Scanning + Category: Reconnaissance + Privileges: User + MitreID: T1046 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe From 6cb80ecff8c08c86faef0cb1cbbf7ece4967285b Mon Sep 17 00:00:00 2001 From: x90slide <45627103+BinFault@users.noreply.github.com> Date: Sat, 20 Dec 2025 22:48:53 +0530 Subject: [PATCH 2/5] Update Powershell.yml --- yml/OSBinaries/Powershell.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/yml/OSBinaries/Powershell.yml b/yml/OSBinaries/Powershell.yml index 7c68256d..49a09566 100644 --- a/yml/OSBinaries/Powershell.yml +++ b/yml/OSBinaries/Powershell.yml @@ -4,7 +4,9 @@ Description: Windows PowerShell Author: x90slide Created: 2025-12-20 Commands: - - Command: | % {echo ((new-object Net.Sockets.TcpClient).Connect("",$_)) "Port $_ is open"} 2>$null + - Command: powershell + | % {echo ((new-object Net.Sockets.TcpClient).Connect("",$_)) "Port $_ is open"} 2>$null + # Port range can be defined via 1..1024 and multiple ports can be defined via 80,443 Description: Scans the IP address for open ports. Usecase: Network Scanning From 8bd57a51bd2b9b01e1f1ca13bec84f46d0a1b50c Mon Sep 17 00:00:00 2001 From: x90slide <45627103+BinFault@users.noreply.github.com> Date: Sat, 20 Dec 2025 22:50:17 +0530 Subject: [PATCH 3/5] Update Powershell.yml --- yml/OSBinaries/Powershell.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/yml/OSBinaries/Powershell.yml b/yml/OSBinaries/Powershell.yml index 49a09566..7c68256d 100644 --- a/yml/OSBinaries/Powershell.yml +++ b/yml/OSBinaries/Powershell.yml @@ -4,9 +4,7 @@ Description: Windows PowerShell Author: x90slide Created: 2025-12-20 Commands: - - Command: powershell - | % {echo ((new-object Net.Sockets.TcpClient).Connect("",$_)) "Port $_ is open"} 2>$null - + - Command: | % {echo ((new-object Net.Sockets.TcpClient).Connect("",$_)) "Port $_ is open"} 2>$null # Port range can be defined via 1..1024 and multiple ports can be defined via 80,443 Description: Scans the IP address for open ports. Usecase: Network Scanning From 32316b053ea1cf528f20f135ebacab21f4bc5cfd Mon Sep 17 00:00:00 2001 From: x90slide <45627103+BinFault@users.noreply.github.com> Date: Sat, 20 Dec 2025 23:00:11 +0530 Subject: [PATCH 4/5] Update Powershell.yml --- yml/OSBinaries/Powershell.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSBinaries/Powershell.yml b/yml/OSBinaries/Powershell.yml index 7c68256d..758c814c 100644 --- a/yml/OSBinaries/Powershell.yml +++ b/yml/OSBinaries/Powershell.yml @@ -14,3 +14,6 @@ Commands: OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +Detection: + - IOA: Multiple TCP SYN packets to sequential ports from a single source IP. + - IOA: High rate of connection attempts to closed ports. From b9bcd6fcb592fe41a9d5b17467a6c3c34e2f5837 Mon Sep 17 00:00:00 2001 From: x90slide <45627103+BinFault@users.noreply.github.com> Date: Sat, 20 Dec 2025 23:02:39 +0530 Subject: [PATCH 5/5] Update Powershell.yml --- yml/OSBinaries/Powershell.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Powershell.yml b/yml/OSBinaries/Powershell.yml index 758c814c..d4dd619c 100644 --- a/yml/OSBinaries/Powershell.yml +++ b/yml/OSBinaries/Powershell.yml @@ -15,5 +15,5 @@ Commands: Full_Path: - Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Detection: - - IOA: Multiple TCP SYN packets to sequential ports from a single source IP. - - IOA: High rate of connection attempts to closed ports. + - IOC: Multiple TCP SYN packets to sequential ports from a single source IP. + - IOC: High rate of connection attempts to closed ports.