Alternate PowerShell Hosts Pipe
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
Sigma rule (View on GitHub)
1title: Alternate PowerShell Hosts Pipe
2id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
3related:
4 - id: ac7102b4-9e1e-4802-9b4f-17c5524c015c
5 type: derived
6status: test
7description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
8references:
9 - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
10 - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html
11author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
12date: 2019/09/12
13modified: 2023/10/18
14tags:
15 - attack.execution
16 - attack.t1059.001
17logsource:
18 product: windows
19 category: pipe_created
20 definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
21detection:
22 selection:
23 PipeName|startswith: '\PSHost'
24 filter_main_generic:
25 Image|contains:
26 - ':\Program Files\PowerShell\7-preview\pwsh.exe' # Powershell 7
27 - ':\Program Files\PowerShell\7\pwsh.exe' # Powershell 7
28 - ':\Windows\system32\dsac.exe'
29 - ':\Windows\system32\inetsrv\w3wp.exe' # this is sad :,( but it triggers FPs on Exchange servers
30 - ':\Windows\System32\sdiagnhost.exe'
31 - ':\Windows\system32\ServerManager.exe'
32 - ':\Windows\system32\wbem\wmiprvse.exe'
33 - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
34 - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
35 - ':\Windows\System32\wsmprovhost.exe'
36 - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
37 - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
38 filter_main_sqlserver: # Microsoft SQL Server\130\Tools\
39 Image|contains|all:
40 - ':\Program Files'
41 - '\Microsoft SQL Server\'
42 Image|endswith: '\Tools\Binn\SQLPS.exe'
43 filter_optional_citrix:
44 Image|contains: ':\Program Files\Citrix\'
45 filter_optional_exchange:
46 Image|contains: ':\Program Files\Microsoft\Exchange Server\'
47 filter_main_null:
48 Image: null
49 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
50falsepositives:
51 - Programs using PowerShell directly without invocation of a dedicated interpreter.
52level: medium
References
-
Analytics# A few initial ideas to explore your data and validate your detection logic: Analytic I# Within the classic PowerShell log, event ID 400 indicates when a new PowerShell host process has s...
Read More -
Offensive Tradecraft# Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Therefore, it is important to understand the basic art...
Read More
Related rules
- Change PowerShell Policies to an Insecure Level
- Change PowerShell Policies to an Insecure Level - PowerShell
- New PowerShell Instance Created
- PowerView PowerShell Cmdlets - ScriptBlock
- Remote LSASS Process Access Through Windows Remote Management