rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml

title: Accessing WinAPI in PowerShell. Code Injection
id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
status: test
description: Detects the creation of a remote thread from a Powershell process to another process
author: Nikita Nazarov, oscd.community
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
date: 2020/10/06
modified: 2022/08/12
logsource:
    product: windows
    category: create_remote_thread
    definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config'
detection:
    selection:
        SourceImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    filter_powershell:
        SourceParentImage: 'C:\Windows\System32\CompatTelRunner.exe'
    condition: selection and not 1 of filter*
falsepositives:
    - Unknown
level: high
tags:
    - attack.execution
    - attack.t1059.001
fix: remove . from title 2022-04-06 16:37:04 +02:00			`title: Accessing WinAPI in PowerShell. Code Injection`
Detecting Code injection with PowerShell in another process 2020-10-06 20:52:18 +03:00			`id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
Update meta 2022-08-12 13:42:52 +01:00			`description: Detects the creation of a remote thread from a Powershell process to another process`
Update powershell_code_injection.yml 2020-10-07 14:50:00 +03:00			`author: Nikita Nazarov, oscd.community`
Detecting Code injection with PowerShell in another process 2020-10-06 20:52:18 +03:00			`references:`
Update selections and indentation 2022-07-07 20:13:45 +01:00			`- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`date: 2020/10/06`
Update meta 2022-08-12 13:42:52 +01:00			`modified: 2022/08/12`
Detecting Code injection with PowerShell in another process 2020-10-06 20:52:18 +03:00			`logsource:`
Update selections and indentation 2022-07-07 20:13:45 +01:00			`product: windows`
			`category: create_remote_thread`
			`definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config'`
Detecting Code injection with PowerShell in another process 2020-10-06 20:52:18 +03:00			`detection:`
Update selections and indentation 2022-07-07 20:13:45 +01:00			`selection:`
New Rules + Update 2022-07-14 17:35:50 +01:00			`SourceImage\|endswith:`
			`- '\powershell.exe'`
			`- '\pwsh.exe'`
fix: FPs noticed with Aurora 2022-07-28 16:58:24 +02:00			`filter_powershell:`
			`SourceParentImage: 'C:\Windows\System32\CompatTelRunner.exe'`
			`condition: selection and not 1 of filter*`
Detecting Code injection with PowerShell in another process 2020-10-06 20:52:18 +03:00			`falsepositives:`
Update selections and indentation 2022-07-07 20:13:45 +01:00			`- Unknown`
Detecting Code injection with PowerShell in another process 2020-10-06 20:52:18 +03:00			`level: high`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`tags:`
Update selections and indentation 2022-07-07 20:13:45 +01:00			`- attack.execution`
			`- attack.t1059.001`