title: Alternate PowerShell Hosts
id: 64e8e417-c19a-475a-8d19-98ea705394cc
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: experimental
date: 2019/08/11
author: Roberto Rodriguez @Cyb3rWard0g
references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1086  # an old one
logsource:
    product: windows
    service: powershell
detection:
    selection:
        EventID:
            - 4103
            - 400
        ContextInfo: '*'
    filter:
        - ContextInfo: 'powershell.exe'
        - Message: 'powershell.exe'
        # Both fields contain key=value pairs where the key HostApplication ist relevant but
        # can't be referred directly as event field.
    condition: selection and not filter
falsepositives:
    - Programs using PowerShell directly without invocation of a dedicated interpreter
    - MSP Detection Searcher
    - Citrix ConfigSync.ps1
level: medium