rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml

title: Alternate PowerShell Hosts
id: 64e8e417-c19a-475a-8d19-98ea705394cc
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: test
date: 2019/08/11
modified: 2021/10/16
author: Roberto Rodriguez @Cyb3rWard0g
references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1086  # an old one
logsource:
    product: windows
    category: ps_module
    definition: PowerShell Module Logging must be enabled
detection:
    selection:
        ContextInfo: '*'
    filter:
        ContextInfo|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event
    condition: selection and not filter        
falsepositives:
    - Programs using PowerShell directly without invocation of a dedicated interpreter
    - MSP Detection Searcher
    - Citrix ConfigSync.ps1
level: medium
Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00			`title: Alternate PowerShell Hosts`
$frack113$ split global powershell_alternate_powershell_hosts.yml 2021-09-21 09:52:35 +02:00			`id: 64e8e417-c19a-475a-8d19-98ea705394cc`
added: 2019-10-24 15:48:38 +02:00			`description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe`
$frack113$ fix many FP 2021-08-18 13:56:14 +02:00			`status: test`
added: 2019-10-24 15:48:38 +02:00			`date: 2019/08/11`
$frack113$ Change to category: ps_module 2021-10-16 08:05:15 +02:00			`modified: 2021/10/16`
added: 2019-10-24 15:48:38 +02:00			`author: Roberto Rodriguez @Cyb3rWard0g`
			`references:`
Update Threat Hunter Playbook Reference 2021-05-22 01:03:23 -03:00			`- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html`
Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00			`tags:`
			`- attack.execution`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`- attack.t1059.001`
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00			`- attack.t1086 # an old one`
added: 2019-10-24 15:48:38 +02:00			`logsource:`
			`product: windows`
$frack113$ Change to category: ps_module 2021-10-16 08:05:15 +02:00			`category: ps_module`
docs: extended the description by a word 2021-10-09 16:42:42 +02:00			`definition: PowerShell Module Logging must be enabled`
added: 2019-10-24 15:48:38 +02:00			`detection:`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`selection:`
Fixed rule 2020-02-02 12:54:56 +01:00			`ContextInfo: '*'`
$frack113$ add definition to powershell-classic 2021-08-16 12:56:24 +02:00			`filter:`
$frack113$ fix ContextInfo FP 2021-08-18 15:18:29 +02:00			`ContextInfo\|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event`
$frack113$ add definition to powershell-classic 2021-08-16 12:56:24 +02:00			`condition: selection and not filter`
$frack113$ split global powershell_alternate_powershell_hosts.yml 2021-09-21 09:52:35 +02:00			`falsepositives:`
			`- Programs using PowerShell directly without invocation of a dedicated interpreter`
			`- MSP Detection Searcher`
			`- Citrix ConfigSync.ps1`
			`level: medium`