Execute Code with Pester.bat as Parent

calendar Oct 17, 2023 · attack.execution attack.t1059.001 attack.defense_evasion attack.t1216  ·
Share on: linkedin copy

Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)

Sigma rule (View on GitHub)

 1title: Execute Code with Pester.bat as Parent
 2id: 18988e1b-9087-4f8a-82fe-0414dce49878
 3related:
 4    - id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
 5      type: similar
 6status: test
 7description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
 8references:
 9    - https://twitter.com/Oddvarmoe/status/993383596244258816
10    - https://twitter.com/_st0pp3r_/status/1560072680887525378
11author: frack113, Nasreddine Bencherchali
12date: 2022/08/20
13tags:
14    - attack.execution
15    - attack.t1059.001
16    - attack.defense_evasion
17    - attack.t1216
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_module:
23        ParentImage|endswith:
24            - '\powershell.exe'
25            - '\pwsh.exe'
26        ParentCommandLine|contains: '\WindowsPowerShell\Modules\Pester\'
27    selection_cli:
28        ParentCommandLine|contains:
29            - '{ Invoke-Pester -EnableExit ;'
30            - '{ Get-Help "'
31    condition: all of selection_*
32falsepositives:
33    - Legitimate use of Pester for writing tests for Powershell scripts and modules
34level: medium

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top