deprecated/windows/image_load_alternate_powershell_hosts_moduleload.yml

title: Alternate PowerShell Hosts - Image
id: fe6e002f-f244-4278-9263-20e4b593827f
status: deprecated
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
references:
    - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2019/09/12
modified: 2023/06/01
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Description: 'System.Management.Automation'
        ImageLoaded|contains: 'System.Management.Automation'
    filter_generic:
        - Image|endswith:
            - '\powershell.exe'
            - '\mscorsvw.exe'
        - Image|startswith:
            - 'C:\Program Files (x86)\Microsoft Visual Studio\'
            - 'C:\Program Files\Microsoft Visual Studio\'
            - 'C:\Windows\System32\'
            - 'C:\Program Files\Citrix\ConfigSync\'
        - Image: 'C:\Program Files\PowerShell\7\pwsh.exe'
    filter_aurora:
        # This filter is to avoid a race condition FP with this specific ETW provider in aurora
        Image: null
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: low
$frack113$ Update title (#3746 ) 2022-12-02 18:10:43 +01:00			`title: Alternate PowerShell Hosts - Image`
10 rules from THP - contributing soon 2020-10-12 15:42:34 -04:00			`id: fe6e002f-f244-4278-9263-20e4b593827f`
feat: more updates 2023-06-01 23:22:35 +02:00			`status: deprecated`
$frack113$ Order yaml field 2022-10-26 09:42:26 +02:00			`description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe`
			`references:`
fix: resolves #4015 2023-02-07 14:33:56 +01:00			`- https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html`
$frack113$ Order yaml field 2022-10-26 09:42:26 +02:00			`author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)`
10 rules from THP - contributing soon 2020-10-12 15:42:34 -04:00			`date: 2019/09/12`
feat: more updates 2023-06-01 23:22:35 +02:00			`modified: 2023/06/01`
10 rules from THP - contributing soon 2020-10-12 15:42:34 -04:00			`tags:`
			`- attack.execution`
			`- attack.t1059.001`
			`logsource:`
			`product: windows`
$frack113$ image_load is a category 2021-05-12 09:02:04 +02:00			`category: image_load`
10 rules from THP - contributing soon 2020-10-12 15:42:34 -04:00			`detection:`
Fixes&improvements 2021-04-08 00:32:01 +02:00			`selection:`
Modified some field values for case sensitive backends (SQL) 2021-05-13 06:19:04 +02:00			`Description: 'System.Management.Automation'`
			`ImageLoaded\|contains: 'System.Management.Automation'`
Fix FP 2022-11-08 12:05:38 +01:00			`filter_generic:`
fix: FPs noticed with Aurora 2021-12-04 10:57:13 +01:00			`- Image\|endswith:`
fix: more FPs noticed with Aurora 2021-12-03 19:02:24 +01:00			`- '\powershell.exe'`
			`- '\mscorsvw.exe'`
fix: FPs noticed with Aurora 2021-12-04 10:57:13 +01:00			`- Image\|startswith:`
			`- 'C:\Program Files (x86)\Microsoft Visual Studio\'`
			`- 'C:\Program Files\Microsoft Visual Studio\'`
fix: FPs noticed with Aurora 2021-12-07 10:38:10 +01:00			`- 'C:\Windows\System32\'`
fix: FPs noticed with Aurora 2022-02-21 18:43:18 +01:00			`- 'C:\Program Files\Citrix\ConfigSync\'`
feat: general fixes 2022-11-22 01:22:36 +01:00			`- Image: 'C:\Program Files\PowerShell\7\pwsh.exe'`
Fix FP 2022-11-08 12:05:38 +01:00			`filter_aurora:`
			`# This filter is to avoid a race condition FP with this specific ETW provider in aurora`
			`Image: null`
Fix typo in conditions 2022-11-08 12:10:20 +01:00			`condition: selection and not 1 of filter_*`
10 rules from THP - contributing soon 2020-10-12 15:42:34 -04:00			`falsepositives:`
			`- Unknown`
$frack113$ Order yaml field 2022-10-26 09:42:26 +02:00			`level: low`