SigmaHQ/rules/windows/process_creation/win_renamed_powershell.yml

33 lines
881 B
YAML
Raw Normal View History

2019-08-22 12:22:36 +00:00
title: Renamed PowerShell
2019-11-12 22:12:27 +00:00
id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20
2019-08-22 12:22:36 +00:00
status: experimental
2019-11-12 22:12:27 +00:00
description: Detects the execution of a renamed PowerShell often used by attackers or malware
2019-08-22 12:22:36 +00:00
references:
- https://twitter.com/christophetd/status/1164506034720952320
author: Florian Roth, frack113
2019-08-22 12:22:36 +00:00
date: 2019/08/22
modified: 2021/07/03
2019-08-22 12:22:36 +00:00
tags:
- car.2013-05-009
- attack.defense_evasion
- attack.t1036 # an old one
- attack.t1036.003
2019-08-22 12:22:36 +00:00
logsource:
product: windows
category: process_creation
2019-08-22 12:22:36 +00:00
detection:
selection:
Description|startswith:
- 'Windows PowerShell'
- 'pwsh'
2019-08-22 12:22:36 +00:00
Company: 'Microsoft Corporation'
filter:
2020-10-15 21:24:16 +00:00
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
2019-08-22 12:22:36 +00:00
condition: selection and not filter
falsepositives:
- Unknown
level: critical