SigmaHQ/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml

title: T1086 PowerShell Execution
id: ac7102b4-9e1e-4802-9b4f-17c5524c015c
description: Detects execution of PowerShell
status: experimental
date: 2019/09/12
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
    - attack.execution
    - attack.t1059.001
references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 17
        PipeName|startswith: '\PSHost'
    condition: selection
falsepositives:
    - Unknown
level: informational
10 rules from THP - contributing soon 2020-10-12 19:42:34 +00:00			`title: T1086 PowerShell Execution`
			`id: ac7102b4-9e1e-4802-9b4f-17c5524c015c`
			`description: Detects execution of PowerShell`
			`status: experimental`
			`date: 2019/09/12`
			`author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)`
			`tags:`
			`- attack.execution`
			`- attack.t1059.001`
			`references:`
			`- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
Fixes&improvements 2021-04-07 22:32:01 +00:00			`selection:`
10 rules from THP - contributing soon 2020-10-12 19:42:34 +00:00			`EventID: 17`
Fixes&improvements 2021-04-07 22:32:01 +00:00			`PipeName\|startswith: '\PSHost'`
10 rules from THP - contributing soon 2020-10-12 19:42:34 +00:00			`condition: selection`
			`falsepositives:`
			`- Unknown`
Fixes&improvements 2021-04-07 22:32:01 +00:00			`level: informational`