rules/windows/powershell/powershell_alternate_powershell_hosts.yml

title: Alternate PowerShell Hosts
id: 64e8e417-c19a-475a-8d19-98ea705394cc
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: experimental
date: 2019/08/11
modified: 2020/02/25
author: Roberto Rodriguez @Cyb3rWard0g
references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
tags:
    - attack.execution
    - attack.t1086
    - attack.t1059.001
logsource:
    product: windows
    service: powershell
detection:
    selection:
        EventID:
            - 4103
            - 400
        ContextInfo: '*'
    filter:
        - ContextInfo: 'powershell.exe'
        - Message: 'powershell.exe'
        # Both fields contain key=value pairs where the key HostApplication ist relevant but
        # can't be referred directly as event field.
    condition: selection and not filter
falsepositives:
    - Programs using PowerShell directly without invocation of a dedicated interpreter
    - MSP Detection Searcher
    - Citrix ConfigSync.ps1
level: medium
Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00			`title: Alternate PowerShell Hosts`
UUIDs + moved unsupported logic 2019-12-19 23:56:36 +01:00			`id: 64e8e417-c19a-475a-8d19-98ea705394cc`
added: 2019-10-24 15:48:38 +02:00			`description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe`
			`status: experimental`
			`date: 2019/08/11`
fix: lowered level due to false positives 2020-02-25 11:12:11 +01:00			`modified: 2020/02/25`
added: 2019-10-24 15:48:38 +02:00			`author: Roberto Rodriguez @Cyb3rWard0g`
			`references:`
			`- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md`
Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00			`tags:`
			`- attack.execution`
			`- attack.t1086`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`- attack.t1059.001`
added: 2019-10-24 15:48:38 +02:00			`logsource:`
			`product: windows`
			`service: powershell`
			`detection:`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`selection:`
added: 2019-10-24 15:48:38 +02:00			`EventID:`
			`- 4103`
			`- 400`
Fixed rule 2020-02-02 12:54:56 +01:00			`ContextInfo: '*'`
added: 2019-10-24 15:48:38 +02:00			`filter:`
OSCD QA wave 1 2020-01-11 00:11:27 +01:00			`- ContextInfo: 'powershell.exe'`
			`- Message: 'powershell.exe'`
			`# Both fields contain key=value pairs where the key HostApplication ist relevant but`
			`# can't be referred directly as event field.`
added: 2019-10-24 15:48:38 +02:00			`condition: selection and not filter`
			`falsepositives:`
fix: lowered level due to false positives 2020-02-25 11:12:11 +01:00			`- Programs using PowerShell directly without invocation of a dedicated interpreter`
			`- MSP Detection Searcher`
docs: more false positive conditions 2020-02-25 11:13:58 +01:00			`- Citrix ConfigSync.ps1`
fix: lowered level due to false positives 2020-02-25 11:12:11 +01:00			`level: medium`