Alternate PowerShell Hosts Pipe

calendar Oct 9, 2025 · attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Sigma rule (View on GitHub)

 1title: Alternate PowerShell Hosts Pipe
 2id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
 3related:
 4    - id: ac7102b4-9e1e-4802-9b4f-17c5524c015c
 5      type: derived
 6status: test
 7description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
 8references:
 9    - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
10    - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html
11author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
12date: 2019-09-12
13modified: 2025-10-07
14tags:
15    - attack.execution
16    - attack.t1059.001
17logsource:
18    product: windows
19    category: pipe_created
20    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
21detection:
22    selection:
23        PipeName|startswith: '\PSHost'
24    filter_main_generic:
25        - Image|contains:
26              - ':\Program Files\PowerShell\7-preview\pwsh.exe' # Powershell 7
27              - ':\Program Files\PowerShell\7\pwsh.exe' # Powershell 7
28              - ':\Windows\system32\dsac.exe'
29              - ':\Windows\system32\inetsrv\w3wp.exe'   # this is sad :,( but it triggers FPs on Exchange servers
30              - ':\Windows\System32\sdiagnhost.exe'
31              - ':\Windows\system32\ServerManager.exe'
32              - ':\Windows\system32\wbem\wmiprvse.exe'
33              - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
34              - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
35              - ':\Windows\System32\wsmprovhost.exe'
36              - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
37              - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
38        - Image|contains|all:
39              - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
40              - '\pwsh.exe'
41        - Image|contains|all:
42              - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
43              - '\pwsh.exe'
44    filter_optional_sqlserver: # Microsoft SQL Server\130\Tools\
45        Image|startswith:
46            - 'C:\Program Files (x86)\'
47            - 'C:\Program Files\'
48        Image|contains: '\Microsoft SQL Server\'
49        Image|endswith: '\Tools\Binn\SQLPS.exe'
50    filter_optional_azure_connected_machine_agent:
51        # Azure Connected Machine Agent (https://devblogs.microsoft.com/powershell/azure-policy-guest-configuration-client/)
52        Image|startswith: 'C:\Program Files\AzureConnectedMachineAgent\GCArcService'
53        Image|endswith: '\GC\gc_worker.exe'
54    filter_optional_citrix:
55        Image|startswith: 'C:\Program Files\Citrix\'
56    filter_optional_exchange:
57        Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
58    filter_main_null:
59        Image: null
60    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
61falsepositives:
62    - Programs using PowerShell directly without invocation of a dedicated interpreter.
63level: medium

References

Related rules

to-top