NF – Microsoft Powershell Banner Outbound

This alert is triggered when outbound traffic contains a PowerShell banner, indicating that a PowerShell script or command is being executed and potentially communicating with an external network. This can be a legitimate action or a sign of unauthorized or malicious activity, such as data exfiltration or command-and-control communication.

Categories:

ID Number

5025701

Signature

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"NF - Microsoft Powershell Banner Outbound"; flow:established; content:"Windows PowerShell"; content:"Copyright |28|C|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; reference:url,networkforensic.dk; metadata:05052018; classtype:successful-admin; sid:5025701; rev:1;)

Severity

Medium

Recommendations/Investigative actions

Identify which internal device is generating the outbound PowerShell traffic and Review the commands or scripts executed to ensure they are not part of malicious operations, such as malware or unauthorized administrative actions. Block outbound traffic originating from PowerShell scripts if it’s not required for legitimate operations.