Potentially Suspicious PowerShell Child Processes

 1title: Potentially Suspicious PowerShell Child Processes
 2id: e4b6d2a7-d8a4-4f19-acbd-943c16d90647
 3status: experimental
 4description: Detects potentially suspicious child processes spawned by PowerShell
 5references:
 6    - https://twitter.com/ankit_anubhav/status/1518835408502620162
 7author: Florian Roth (Nextron Systems), Tim Shelton
 8date: 2022/04/26
 9modified: 2023/05/30
10tags:
11    - attack.execution
12    - attack.t1059.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        ParentImage|endswith:
19            - '\powershell_ise.exe'
20            - '\powershell.exe'
21            - '\pwsh.exe'
22        Image|endswith:
23            - '\bash.exe'
24            - '\bitsadmin.exe'
25            - '\certutil.exe'
26            - '\cscript.exe'
27            - '\forfiles.exe'
28            - '\hh.exe'
29            - '\mshta.exe'
30            - '\regsvr32.exe'
31            - '\rundll32.exe'
32            - '\schtasks.exe'
33            - '\scrcons.exe'
34            - '\scriptrunner.exe'
35            - '\sh.exe'
36            - '\wmic.exe'
37            - '\wscript.exe'
38    filter_optional_amazon:
39        ParentCommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\'  # AWS Workspaces
40        CommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\'  # AWS Workspaces
41    condition: selection and not 1 of filter_optional_*
42falsepositives:
43    - Some false positive is to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts when needed.
44level: high