Renamed Powershell Under Powershell Channel

calendar Oct 8, 2024 · attack.execution attack.t1059.001 attack.t1036.003  ·
Share on: linkedin copy

Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.

Sigma rule (View on GitHub)

 1title: Renamed Powershell Under Powershell Channel
 2id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
 3status: test
 4description: |
 5        Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
 6references:
 7    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 8author: Harish Segar, frack113
 9date: 2020-06-29
10modified: 2024-10-08
11tags:
12    - attack.execution
13    - attack.t1059.001
14    - attack.t1036.003
15logsource:
16    product: windows
17    category: ps_classic_start
18detection:
19    selection:
20        Data|contains: 'HostName=ConsoleHost'
21    # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer amount of possibilities. It's up to the user to add these cases.
22    filter_main_ps:
23        Data|contains:
24            - 'HostApplication=powershell'
25            - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
26            - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
27            # In some cases powershell was invoked with inverted slashes
28            - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
29            - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
30    filter_main_host_application_null:
31        # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
32        # If you're already mapping and extracting the field, then obviously use that directly.
33        Data|re: 'HostId=[a-zA-Z0-9-]{36} EngineVersion='
34    condition: selection and not 1 of filter_main_*
35falsepositives:
36    - Unknown
37level: low

References

  • Hunting for PowerShell Abuse

    PowerShell is the favorit tool of IT guys, who are responsible for administration of Windows infrastructures. It allows them to manage differen services…


    Read More

Related rules

to-top