Skip to main content
Skip table of contents

Detect Reverse PowerShell

This example detects the Nishang reverse PowerShell tunneling through ICMP. For details, see

function Packet_DetectReversePowerShell (dpiMsg, packet)
  require 'LOG'
  if GetLatestApplication(dpiMsg) == "icmp" then
    -- Get ICMP type (byte 20 for IPv4 packets)
    local icmpType = GetPayloadData(packet, 20, 20)
    if icmpType == 8 then
      -- Look at the bytes from the payload, does it match "Windows PowerShell"
      local payload = GetPayloadString(packet) -- Get the entire payload
      if string.match(payload, "Windows PowerShell") ~= nil then
        SetCustomField(dpiMsg, "ICMP_Tunnel_Signature", "Windows PowerShell")
        local user = string.match(payload, "user ([%a%d@_-]+) ")
        if user ~= nil then
          SetCustomField(dpiMsg, "ICMP_Tunnel_User", "User:" .. user)
        EZWARNING("Session: ", GetUuid(dpiMsg), ", ICMP PowerShell Tunnel. user: ", user)
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.