SigmaHQ/rules/windows/process_creation/win_susp_powershell_parent_combo.yml

33 lines
931 B
YAML
Raw Normal View History

2020-01-30 16:26:09 +00:00
title: Suspicious PowerShell Invocation Based on Parent Process
2019-11-12 22:12:27 +00:00
id: 95eadcb2-92e4-4ed1-9031-92547773a6db
status: experimental
description: Detects suspicious powershell invocations from interpreters or unusual programs
author: Florian Roth
date: 2019/01/16
references:
- https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
tags:
- attack.execution
- attack.t1086
2020-06-16 20:46:08 +00:00
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage:
- '*\wscript.exe'
- '*\cscript.exe'
Image:
- '*\powershell.exe'
falsepositive:
CurrentDirectory: '*\Health Service State\\*'
condition: selection and not falsepositive
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Microsoft Operations Manager (MOM)
- Other scripts
level: medium