Non Interactive PowerShell Process Spawned

calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.

Sigma rule (View on GitHub)

 1title: Non Interactive PowerShell Process Spawned
 2id: f4bbd493-b796-416e-bbf2-121235348529
 3status: test
 4description: Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.
 5references:
 6    - https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
 7author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)
 8date: 2019-09-12
 9modified: 2023-09-07
10tags:
11    - attack.execution
12    - attack.t1059.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        - Image|endswith:
19              - '\powershell.exe'
20              - '\pwsh.exe'
21        - OriginalFileName:
22              - 'PowerShell.EXE'
23              - 'pwsh.dll'
24    filter_main_generic:
25        ParentImage|endswith:
26            - ':\Windows\explorer.exe'
27            - ':\Windows\System32\CompatTelRunner.exe'
28            - ':\Windows\SysWOW64\explorer.exe'
29    filter_main_windows_update:
30        ParentImage: ':\$WINDOWS.~BT\Sources\SetupHost.exe' # During Windows updates/upgrades
31        # CommandLine: powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
32    filter_optional_vscode:
33        # Triggered by VsCode when you open a Shell inside the workspace
34        ParentImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
35        ParentCommandLine|contains: ' --ms-enable-electron-run-as-node '
36    filter_optional_terminal:
37        ParentImage|contains: ':\Program Files\WindowsApps\Microsoft.WindowsTerminal_'
38        ParentImage|endswith: '\WindowsTerminal.exe'
39    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
40falsepositives:
41    - Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies
42level: low

References

  • Basic PowerShell Execution

    Basic PowerShell Execution Metadata id WIN-190410151110 author Roberto Rodriguez @Cyb3rWard0g creation date 2019/04/10 platform Windows playbo


    Read More

Related rules

to-top