Suspicious Interactive PowerShell as SYSTEM
Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
Sigma rule (View on GitHub)
1title: Suspicious Interactive PowerShell as SYSTEM
2id: 5b40a734-99b6-4b98-a1d0-1cea51a08ab2
3status: test
4description: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
5references:
6 - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm
7author: Florian Roth (Nextron Systems)
8date: 2021/12/07
9modified: 2022/08/13
10tags:
11 - attack.execution
12 - attack.t1059.001
13logsource:
14 product: windows
15 category: file_event
16detection:
17 selection:
18 TargetFilename:
19 - 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt'
20 - 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive'
21 condition: selection
22falsepositives:
23 - Administrative activity
24 - PowerShell scripts running as SYSTEM user
25level: high
References
-
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create. LogonGuid/LogonId: ID of the logon session ParentProcessGuid/ParentProcessId: Process ID of the parent ...
Read More
Related rules
- AWS EC2 Startup Shell Script Change
- Execute Code with Pester.bat as Parent
- Execution of Powershell Script in Public Folder
- Invoke-Obfuscation Via Use Rundll32 - PowerShell
- Invoke-Obfuscation Via Use Rundll32 - PowerShell Module