Alternate PowerShell Hosts Pipe
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
Sigma rule (View on GitHub)
1title: Alternate PowerShell Hosts Pipe
2id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
3status: test
4description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
5references:
6 - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
7 - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html
8author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
9date: 2019/09/12
10modified: 2023/10/18
11tags:
12 - attack.execution
13 - attack.t1059.001
14logsource:
15 product: windows
16 category: pipe_created
17 definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
18detection:
19 selection:
20 PipeName|startswith: '\PSHost'
21 filter_main_generic:
22 Image|contains:
23 - ':\Program Files\Citrix\'
24 - ':\Program Files\Microsoft\Exchange Server\'
25 - ':\Program Files\PowerShell\7-preview\pwsh.exe' # Powershell 7
26 - ':\Program Files\PowerShell\7\pwsh.exe' # Powershell 7
27 - ':\Windows\system32\dsac.exe'
28 - ':\Windows\system32\inetsrv\w3wp.exe' # this is sad :,( but it triggers FPs on Exchange servers
29 - ':\Windows\System32\sdiagnhost.exe'
30 - ':\Windows\system32\ServerManager.exe'
31 - ':\Windows\system32\wbem\wmiprvse.exe'
32 - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
33 - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
34 - ':\Windows\System32\wsmprovhost.exe'
35 - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
36 - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
37 filter_main_sqlserver: # Microsoft SQL Server\130\Tools\
38 Image|contains|all:
39 - ':\Program Files'
40 - '\Microsoft SQL Server\'
41 Image|endswith: '\Tools\Binn\SQLPS.exe'
42 filter_main_null:
43 Image: null
44 condition: selection and not 1 of filter_main_*
45falsepositives:
46 - Programs using PowerShell directly without invocation of a dedicated interpreter.
47level: medium
References
Related rules
- Bad Opsec Powershell Code Artifacts
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Exchange PowerShell Snap-Ins Usage
- HackTool - Bloodhound/Sharphound Execution
- HackTool - CrackMapExec PowerShell Obfuscation