Powershell Execute Batch Script

 1title: Powershell Execute Batch Script
 2id: b5522a23-82da-44e5-9c8b-e10ed8955f88
 3status: test
 4description: |
 5    Adversaries may abuse the Windows command shell for execution.
 6    The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.
 7    The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.
 8    Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.
 9    Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system    
10references:
11    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script
12author: frack113
13date: 2022-01-02
14tags:
15    - attack.execution
16    - attack.t1059.003
17logsource:
18    product: windows
19    category: ps_script
20    definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22    selection_start:
23        ScriptBlockText|contains: Start-Process
24    selection_batch:
25        ScriptBlockText|contains:
26            - '.cmd'
27            - '.bat'
28    condition: all of selection_*
29falsepositives:
30    - Legitimate administration script
31level: medium