This example detects the Nishang reverse PowerShell tunneling through ICMP. For details, see https://logrhythm.com/blog/identifying-powershell-tunneling-through-icmp.
|
function Packet_DetectReversePowerShell (dpiMsg, packet) require 'LOG' if GetLatestApplication(dpiMsg) == "icmp" then -- Get ICMP type (byte 20 for IPv4 packets) local icmpType = GetPayloadData(packet, 20, 20) if icmpType == 8 then -- Look at the bytes from the payload, does it match "Windows PowerShell" local payload = GetPayloadString(packet) -- Get the entire payload if string.match(payload, "Windows PowerShell") ~= nil then SetCustomField(dpiMsg, "ICMP_Tunnel_Signature", "Windows PowerShell") local user = string.match(payload, "user ([%a%d@_-]+) ") if user ~= nil then SetCustomField(dpiMsg, "ICMP_Tunnel_User", "User:" .. user) end EZWARNING("Session: ", GetUuid(dpiMsg), ", ICMP PowerShell Tunnel. user: ", user) end end end end |