PowerShell Injecting into Other Process
Looks for process access activity where PowerShell is accessing any other processes. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: PowerShell Injecting into Other Process
2id: 95d5a93d-b755-4443-87d2-48125a4172ac
3status: experimental
4description: Looks for process access activity where PowerShell is accessing any other
5 processes. Inspired by the 2022 Red Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/process-injection/
8author: Micah Babinski
9date: 2022/11/03
10tags:
11 - attack.privilege_escalation
12 - attack.t1055
13logsource:
14 category: process_access
15 product: windows
16detection:
17 selection:
18 SourceImage|endswith: '\powershell.exe'
19 condition: selection
20falsepositives:
21 - Unknown
22level: high```
References
-
Process Injection enables adversaries to execute potentially suspicious processes in the context of seemingly benign ones.
Read More
Related rules
- Process Execution sans Command Lines
- Bypass UAC via CMSTP
- Bypass UAC via Fodhelper.exe
- Bypass UAC via WSReset.exe
- WMI Persistence - Script Event Consumer