Execute Code with Pester.bat

 1title: Execute Code with Pester.bat
 2id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
 3status: test
 4description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
 5references:
 6    - https://twitter.com/Oddvarmoe/status/993383596244258816
 7    - https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md
 8author: Julia Fomina, oscd.community
 9date: 2020/10/08
10modified: 2023/11/09
11tags:
12    - attack.execution
13    - attack.t1059.001
14    - attack.defense_evasion
15    - attack.t1216
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    powershell_module:
21        Image|endswith:
22            - '\powershell.exe'
23            - '\pwsh.exe'
24        CommandLine|contains|all:
25            - 'Pester'
26            - 'Get-Help'
27    cmd_execution:
28        Image|endswith: '\cmd.exe'
29        CommandLine|contains|all:
30            - 'pester'
31            - ';'
32    get_help:
33        CommandLine|contains:
34            - 'help'
35            - '\?'
36    condition: powershell_module or (cmd_execution and get_help)
37falsepositives:
38    - Legitimate use of Pester for writing tests for Powershell scripts and modules
39level: medium

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• LOLBAS/OSScripts/pester.md at d148d278f5f205ce67cfaf49afdfb68071c7252a · api0cradle/LOLBAS

  

  Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) - api0cradle/LOLBAS

  
  Read More

Related rules

• Execute Code with Pester.bat as Parent
• Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
• Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
• Invoke-Obfuscation Via Use MSHTA - PowerShell Module
• PowerShell Called from an Executable Version Mismatch