Skip to main content
Skip table of contents

Detect Reverse PowerShell

This example detects the Nishang reverse PowerShell tunneling through ICMP. For details, see https://logrhythm.com/blog/identifying-powershell-tunneling-through-icmp.

function Packet_DetectReversePowerShell (dpiMsg, packet)
  require 'LOG'
  if GetLatestApplication(dpiMsg) == "icmp" then
    -- Get ICMP type (byte 20 for IPv4 packets)
    local icmpType = GetPayloadData(packet, 20, 20)
    if icmpType == 8 then
      -- Look at the bytes from the payload, does it match "Windows PowerShell"
      local payload = GetPayloadString(packet) -- Get the entire payload
      if string.match(payload, "Windows PowerShell") ~= nil then
        SetCustomField(dpiMsg, "ICMP_Tunnel_Signature", "Windows PowerShell")
        local user = string.match(payload, "user ([%a%d@_-]+) ")
        if user ~= nil then
          SetCustomField(dpiMsg, "ICMP_Tunnel_User", "User:" .. user)
        end
        EZWARNING("Session: ", GetUuid(dpiMsg), ", ICMP PowerShell Tunnel. user: ", user)
      end
    end
  end
end
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close