Uncommon PowerShell Hosts

 1title: Uncommon PowerShell Hosts
 2id: d7326048-328b-4d5e-98af-86e84b17c765
 3related:
 4    - id: 64e8e417-c19a-475a-8d19-98ea705394cc
 5      type: derived
 6status: test
 7description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
 8references:
 9    - https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html
10author: Roberto Rodriguez @Cyb3rWard0g
11date: 2019/08/11
12modified: 2023/11/03
13tags:
14    - attack.execution
15    - attack.t1059.001
16logsource:
17    product: windows
18    category: ps_classic_start
19detection:
20    selection:
21        Data|contains: 'HostApplication='
22    # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer ammount of possibilities. It's up to the user to add these cases.
23    filter_main_ps:
24        Data|contains:
25            - 'HostApplication=powershell'
26            - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
27            - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
28            # In some cases powershell was invoked with inverted slashes
29            - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
30            - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
31    filter_optional_citrix:
32        Data|contains: 'Citrix\ConfigSync\ConfigSync.ps1'
33    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
34falsepositives:
35    - Programs using PowerShell directly without invocation of a dedicated interpreter
36    - MSP Detection Searcher
37    - Citrix ConfigSync.ps1
38level: medium