SigmaHQ/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml
2020-06-16 14:46:08 -06:00

34 lines
989 B
YAML

title: Alternate PowerShell Hosts Pipe
id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: experimental
date: 2019/09/12
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
tags:
- attack.execution
- attack.t1086
- attack.t1059.001
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 17
PipeName|startswith: '\PSHost'
filter:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
condition: selection and not filter
fields:
- ComputerName
- User
- Image
- PipeName
falsepositives:
- Programs using PowerShell directly without invocation of a dedicated interpreter.
level: medium