title: Execute Code with Pester.bat
id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) 
status: experimental
references:
    - https://twitter.com/Oddvarmoe/status/993383596244258816
author: Julia Fomina, oscd.community
date: 2020/10/08
tags:
    - attack.execution
    - attack.t1059.001
    - attack.defense_evasion
    - attack.t1216    
logsource:
    category: process_creation
    product: windows
detection:
    powershell_module:
        Image|endswith: '\powershell.exe'
        CommandLine|contains|all:
            - 'Pester'
            - 'Get-Help'
    cmd_execution:
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all: 
            - 'pester'
            - ';'
    get_help:
        CommandLine|contains:
            - 'help'
            - '?'
    condition: powershell_module or (cmd_execution and get_help)
level: medium
falsepositives:
    - Legitimate use of Pester for writing tests for Powershell scripts and modules