Execute Code with Pester.bat as Parent
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
Sigma rule (View on GitHub)
1title: Execute Code with Pester.bat as Parent
2id: 18988e1b-9087-4f8a-82fe-0414dce49878
3related:
4 - id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
5 type: similar
6status: test
7description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
8references:
9 - https://twitter.com/Oddvarmoe/status/993383596244258816
10 - https://twitter.com/_st0pp3r_/status/1560072680887525378
11author: frack113, Nasreddine Bencherchali
12date: 2022-08-20
13tags:
14 - attack.execution
15 - attack.t1059.001
16 - attack.defense-evasion
17 - attack.t1216
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_module:
23 ParentImage|endswith:
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 ParentCommandLine|contains: '\WindowsPowerShell\Modules\Pester\'
27 selection_cli:
28 ParentCommandLine|contains:
29 - '{ Invoke-Pester -EnableExit ;'
30 - '{ Get-Help "'
31 condition: all of selection_*
32falsepositives:
33 - Legitimate use of Pester for writing tests for Powershell scripts and modules
34level: medium
References
Related rules
- Execute Code with Pester.bat
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Detection of PowerShell Execution via Sqlps.exe
- Greenbug Espionage Group Indicators
- HTML Help HH.EXE Suspicious Child Process