Alternate PowerShell Hosts - PowerShell Module

calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Sigma rule (View on GitHub)

 1title: Alternate PowerShell Hosts - PowerShell Module
 2id: 64e8e417-c19a-475a-8d19-98ea705394cc
 3status: test
 4description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
 5references:
 6    - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
 7author: Roberto Rodriguez @Cyb3rWard0g
 8date: 2019-08-11
 9modified: 2022-12-13
10tags:
11    - attack.execution
12    - attack.t1059.001
13logsource:
14    product: windows
15    category: ps_module
16    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
17detection:
18    selection:
19        ContextInfo|contains: '*'
20    filter_powershell:
21        # This filter covers the following use cases
22        #   - When powershell is called directly from commandline via keyword powershell or powershell.exe
23        #   - Or called via path but not with full "".exe". Example: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell
24        ContextInfo|contains:
25            - '= powershell' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event
26            - '= C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
27            - '= C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
28            # In some cases powershell was invoked with inverted slashes
29            - '= C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
30            - '= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
31    filter_sdiagnhost:
32        ContextInfo|contains: '= C:\WINDOWS\System32\sdiagnhost.exe -Embedding' # When MSDT is launched for example
33    filter_citrix:
34        ContextInfo|contains: 'ConfigSyncRun.exe'
35    filter_adace:  # Active Directory Administrative Center Enhancements
36        ContextInfo|contains: 'C:\Windows\system32\dsac.exe'
37    filter_winrm:
38        ContextInfo|contains: 'C:\Windows\system32\wsmprovhost.exe -Embedding'
39    filter_help_update:
40        Payload|contains:
41            - 'Update-Help'
42            - 'Failed to update Help for the module'
43    condition: selection and not 1 of filter_*
44falsepositives:
45    - Programs using PowerShell directly without invocation of a dedicated interpreter
46    - MSP Detection Searcher
47    - Citrix ConfigSync.ps1
48level: medium

References

Related rules

to-top