title: Renamed PowerShell
status: experimental
description: Detects the execution of a renamed PowerShell often used by attackers or malware 
references:
    - https://twitter.com/christophetd/status/1164506034720952320
author: Florian Roth
date: 2019/08/22
tags:
    - car.2013-05-009
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        Description: 'Windows PowerShell'
        Company: 'Microsoft Corporation'
    filter:
        Image: '*\powershell.exe'
        Image: '*\powershell_ise.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: critical