From 0ad9fc61de3b60e8adfc90a0a1709ab15eef304f Mon Sep 17 00:00:00 2001
From: "Nikita P. Nazarov" <n.nazarov@izsoc.ru>
Date: Tue, 6 Oct 2020 20:52:18 +0300
Subject: [PATCH] Detecting Code injection with PowerShell in another process

---
 .../powershell/powershell_code_injection.yml  | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 rules/windows/powershell/powershell_code_injection.yml

diff --git a/rules/windows/powershell/powershell_code_injection.yml b/rules/windows/powershell/powershell_code_injection.yml
new file mode 100644
index 00000000..aa90fe42
--- /dev/null
+++ b/rules/windows/powershell/powershell_code_injection.yml
@@ -0,0 +1,24 @@
+title: Accessing WinAPI in PowerShell. Code Injection.
+id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
+status: experimental
+description: Detecting Code injection with PowerShell in another process
+author: Nikita Nazarov
+date: 2020/10/06
+references:
+    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+tags:
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: sysmon
+    definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config'
+detection:
+    selection:
+        EventID:
+            - 8
+        SourceImage: '*\powershell.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high