SigmaHQ/rules/windows/powershell/powershell_code_injection.yml

title: Accessing WinAPI in PowerShell. Code Injection.
id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
status: experimental
description: Detecting Code injection with PowerShell in another process
author: Nikita Nazarov, oscd.community
date: 2020/10/06
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: sysmon
    definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config'
detection:
    selection:
        EventID:
            - 8
        SourceImage|endswith: '\powershell.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Detecting Code injection with PowerShell in another process 2020-10-06 17:52:18 +00:00			`title: Accessing WinAPI in PowerShell. Code Injection.`
			`id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50`
			`status: experimental`
			`description: Detecting Code injection with PowerShell in another process`
Update powershell_code_injection.yml 2020-10-07 11:50:00 +00:00			`author: Nikita Nazarov, oscd.community`
Detecting Code injection with PowerShell in another process 2020-10-06 17:52:18 +00:00			`date: 2020/10/06`
			`references:`
			`- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse`
			`tags:`
			`- attack.execution`
			`- attack.t1059.001`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config'`
			`detection:`
			`selection:`
			`EventID:`
			`- 8`
Update powershell_code_injection.yml 2020-10-07 11:50:00 +00:00			`SourceImage\|endswith: '\powershell.exe'`
Detecting Code injection with PowerShell in another process 2020-10-06 17:52:18 +00:00			`condition: selection`
			`falsepositives:`
			`- Unknown`
			`level: high`