Alternate PowerShell Hosts - PowerShell Module

calendar Oct 17, 2025 · attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Sigma rule (View on GitHub)

 1title: Alternate PowerShell Hosts - PowerShell Module
 2id: 64e8e417-c19a-475a-8d19-98ea705394cc
 3status: test
 4description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
 5references:
 6    - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
 7author: Roberto Rodriguez @Cyb3rWard0g
 8date: 2019-08-11
 9modified: 2025-10-17
10tags:
11    - attack.execution
12    - attack.t1059.001
13logsource:
14    product: windows
15    category: ps_module
16    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
17detection:
18    selection:
19        ContextInfo|contains: '*'
20    filter_powershell:
21        # This filter covers the following use cases
22        #   - When powershell is called directly from commandline via keyword powershell or powershell.exe
23        #   - Or called via path but not with full "".exe". Example: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell
24        ContextInfo|contains:
25            - '= powershell' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event
26            - '= C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
27            - '= C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
28            # In some cases powershell was invoked with inverted slashes
29            - '= C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
30            - '= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
31            # In some cases \??\C:.. is used
32            - '= \\\?\?\C:Windows\System32\WindowsPowerShell\v1.0\powershell'
33            - '= \\\?\?\C:Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
34    filter_sdiagnhost:
35        ContextInfo|contains: '= C:\WINDOWS\System32\sdiagnhost.exe -Embedding' # When MSDT is launched for example
36    filter_citrix:
37        ContextInfo|contains: 'ConfigSyncRun.exe'
38    filter_adace:  # Active Directory Administrative Center Enhancements
39        ContextInfo|contains: 'C:\Windows\system32\dsac.exe'
40    filter_winrm:
41        ContextInfo|contains: 'C:\Windows\system32\wsmprovhost.exe -Embedding'
42    filter_help_update:
43        Payload|contains:
44            - 'Update-Help'
45            - 'Failed to update Help for the module'
46    condition: selection and not 1 of filter_*
47falsepositives:
48    - Programs using PowerShell directly without invocation of a dedicated interpreter
49    - MSP Detection Searcher
50    - Citrix ConfigSync.ps1
51level: medium

References

Related rules

to-top