New PowerShell Instance Created

Detects the execution of PowerShell via the creation of a named pipe starting with PSHost

Sigma rule (View on GitHub)

 1title: New PowerShell Instance Created
 2id: ac7102b4-9e1e-4802-9b4f-17c5524c015c
 3related:
 4    - id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
 5      type: derived
 6status: test
 7description: Detects the execution of PowerShell via the creation of a named pipe starting with PSHost
 8references:
 9    - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
10    - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html
11author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
12date: 2019-09-12
13modified: 2023-11-30
14tags:
15    - attack.execution
16    - attack.t1059.001
17logsource:
18    product: windows
19    category: pipe_created
20    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
21detection:
22    selection:
23        PipeName|startswith: '\PSHost'
24    condition: selection
25falsepositives:
26    - Likely
27level: informational

References

Related rules

to-top