Renamed Powershell Under Powershell Channel
Detects renamed powershell
Sigma rule (View on GitHub)
1title: Renamed Powershell Under Powershell Channel
2id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
3status: test
4description: Detects renamed powershell
5references:
6 - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
7author: Harish Segar, frack113
8date: 2020-06-29
9modified: 2023-10-27
10tags:
11 - attack.execution
12 - attack.t1059.001
13logsource:
14 product: windows
15 category: ps_classic_start
16detection:
17 selection:
18 Data|contains: 'HostName=ConsoleHost'
19 # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer ammount of possibilities. It's up to the user to add these cases.
20 filter_main_ps:
21 Data|contains:
22 - 'HostApplication=powershell'
23 - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
24 - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
25 # In some cases powershell was invoked with inverted slashes
26 - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
27 - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
28 condition: selection and not 1 of filter_main_*
29falsepositives:
30 - Unknown
31level: low
References
Related rules
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- Alternate PowerShell Hosts Pipe
- Bad Opsec Powershell Code Artifacts
- BloodHound Collection Files