title: Alternate PowerShell Hosts id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: experimental date: 2019/08/11 modified: 2020/02/25 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md tags: - attack.execution - attack.t1086 - attack.t1059.001 logsource: product: windows service: powershell detection: selection: EventID: - 4103 - 400 ContextInfo: '*' filter: - ContextInfo: 'powershell.exe' - Message: 'powershell.exe' # Both fields contain key=value pairs where the key HostApplication ist relevant but # can't be referred directly as event field. condition: selection and not filter falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter - MSP Detection Searcher - Citrix ConfigSync.ps1 level: medium