Alternate PowerShell Hosts Pipe
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
Sigma rule (View on GitHub)
1title: Alternate PowerShell Hosts Pipe
2id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
3related:
4 - id: ac7102b4-9e1e-4802-9b4f-17c5524c015c
5 type: derived
6status: test
7description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
8references:
9 - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
10 - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html
11author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
12date: 2019-09-12
13modified: 2024-10-07
14tags:
15 - attack.execution
16 - attack.t1059.001
17logsource:
18 product: windows
19 category: pipe_created
20 definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
21detection:
22 selection:
23 PipeName|startswith: '\PSHost'
24 filter_main_generic:
25 Image|contains:
26 - ':\Program Files\PowerShell\7-preview\pwsh.exe' # Powershell 7
27 - ':\Program Files\PowerShell\7\pwsh.exe' # Powershell 7
28 - ':\Windows\system32\dsac.exe'
29 - ':\Windows\system32\inetsrv\w3wp.exe' # this is sad :,( but it triggers FPs on Exchange servers
30 - ':\Windows\System32\sdiagnhost.exe'
31 - ':\Windows\system32\ServerManager.exe'
32 - ':\Windows\system32\wbem\wmiprvse.exe'
33 - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
34 - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
35 - ':\Windows\System32\wsmprovhost.exe'
36 - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
37 - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
38 filter_optional_sqlserver: # Microsoft SQL Server\130\Tools\
39 Image|startswith:
40 - 'C:\Program Files (x86)\'
41 - 'C:\Program Files\'
42 Image|contains: '\Microsoft SQL Server\'
43 Image|endswith: '\Tools\Binn\SQLPS.exe'
44 filter_optional_azure_connected_machine_agent:
45 # Azure Connected Machine Agent (https://devblogs.microsoft.com/powershell/azure-policy-guest-configuration-client/)
46 Image|startswith: 'C:\Program Files\AzureConnectedMachineAgent\GCArcService'
47 Image|endswith: '\GC\gc_worker.exe'
48 filter_optional_citrix:
49 Image|startswith: 'C:\Program Files\Citrix\'
50 filter_optional_exchange:
51 Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
52 filter_main_null:
53 Image: null
54 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
55falsepositives:
56 - Programs using PowerShell directly without invocation of a dedicated interpreter.
57level: medium
References
-
Analytics# A few initial ideas to explore your data and validate your detection logic: Analytic I# Within the classic PowerShell log, event ID 400 indicates when a new PowerShell host process has s...
Read More -
Offensive Tradecraft# Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Therefore, it is important to understand the basic art...
Read More
Related rules
- Lace Tempest PowerShell Evidence Eraser
- Lace Tempest PowerShell Launcher
- Remote Thread Creation Via PowerShell In Uncommon Target
- UNC2452 Process Creation Patterns
- ChromeLoader Malware Execution