SigmaHQ/rules/windows/powershell/powershell_exe_calling_ps.yml

title: PowerShell called from an Executable
status: experimental
description: Detects PowerShell called from an executable by the version mismatch method
reference: https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
    platform: windows
    product: powershell
    description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
    seletcion:
        EventID: 400
        EngineVersion: '2.*'
        HostVersion:
            - '3.*'
            - '4.*'
            - '5.*'
    condition: keywords
falsepositives:
    - Pentesters
level: high
First PowerShell Ruleset 2017-03-05 00:47:25 +00:00			`title: PowerShell called from an Executable`
			`status: experimental`
			`description: Detects PowerShell called from an executable by the version mismatch method`
			`reference: https://adsecurity.org/?p=2921`
			`author: Sean Metcalf (source), Florian Roth (rule)`
			`logsource:`
			`platform: windows`
			`product: powershell`
			`description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'`
			`detection:`
			`seletcion:`
			`EventID: 400`
			`EngineVersion: '2.*'`
			`HostVersion:`
			`- '3.*'`
			`- '4.*'`
			`- '5.*'`
			`condition: keywords`
			`falsepositives:`
			`- Pentesters`
			`level: high`