Alternate PowerShell Hosts Pipe

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Sigma rule (View on GitHub)

 1title: Alternate PowerShell Hosts Pipe
 2id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
 3status: test
 4description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
 5references:
 6    - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
 7    - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html
 8author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
 9date: 2019/09/12
10modified: 2023/10/18
11tags:
12    - attack.execution
13    - attack.t1059.001
14logsource:
15    product: windows
16    category: pipe_created
17    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
18detection:
19    selection:
20        PipeName|startswith: '\PSHost'
21    filter_main_generic:
22        Image|contains:
23            - ':\Program Files\Citrix\'
24            - ':\Program Files\Microsoft\Exchange Server\'
25            - ':\Program Files\PowerShell\7-preview\pwsh.exe' # Powershell 7
26            - ':\Program Files\PowerShell\7\pwsh.exe' # Powershell 7
27            - ':\Windows\system32\dsac.exe'
28            - ':\Windows\system32\inetsrv\w3wp.exe'   # this is sad :,( but it triggers FPs on Exchange servers
29            - ':\Windows\System32\sdiagnhost.exe'
30            - ':\Windows\system32\ServerManager.exe'
31            - ':\Windows\system32\wbem\wmiprvse.exe'
32            - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
33            - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
34            - ':\Windows\System32\wsmprovhost.exe'
35            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
36            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
37    filter_main_sqlserver: # Microsoft SQL Server\130\Tools\
38        Image|contains|all:
39            - ':\Program Files'
40            - '\Microsoft SQL Server\'
41        Image|endswith: '\Tools\Binn\SQLPS.exe'
42    filter_main_null:
43        Image: null
44    condition: selection and not 1 of filter_main_*
45falsepositives:
46    - Programs using PowerShell directly without invocation of a dedicated interpreter.
47level: medium

References

Related rules

to-top