rules/windows/process_creation/proc_creation_win_renamed_powershell.yml

title: Renamed PowerShell
id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20
status: test
description: Detects the execution of a renamed PowerShell often used by attackers or malware
references:
    - https://twitter.com/christophetd/status/1164506034720952320
author: Florian Roth, frack113
date: 2019/08/22
modified: 2021/07/03
tags:
    - car.2013-05-009
    - attack.defense_evasion
    - attack.t1036.003
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Description|startswith:
            - 'Windows PowerShell'
            - 'pwsh'
        Company: 'Microsoft Corporation'
    filter:
        Image|endswith:
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: critical
rule: renamed powershell 2019-08-22 14:22:36 +02:00			`title: Renamed PowerShell`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20`
chore: increase rule status 2022-03-07 12:39:51 +01:00			`status: test`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`description: Detects the execution of a renamed PowerShell often used by attackers or malware`
rule: renamed powershell 2019-08-22 14:22:36 +02:00			`references:`
			`- https://twitter.com/christophetd/status/1164506034720952320`
$frack113$ Tune detection in win_renamed_powershell.yml 2021-07-03 15:18:01 +02:00			`author: Florian Roth, frack113`
rule: renamed powershell 2019-08-22 14:22:36 +02:00			`date: 2019/08/22`
$frack113$ Tune detection in win_renamed_powershell.yml 2021-07-03 15:18:01 +02:00			`modified: 2021/07/03`
rule: renamed powershell 2019-08-22 14:22:36 +02:00			`tags:`
			`- car.2013-05-009`
att&ck tags review: windows/process_creation part 5 2020-09-07 02:00:41 +04:00			`- attack.defense_evasion`
chore: increase rule status 2022-03-07 12:39:51 +01:00			`- attack.t1036.003`
rule: renamed powershell 2019-08-22 14:22:36 +02:00			`logsource:`
			`product: windows`
move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule) 2020-05-23 07:17:56 -04:00			`category: process_creation`
rule: renamed powershell 2019-08-22 14:22:36 +02:00			`detection:`
			`selection:`
chore: increase rule status 2022-03-07 12:39:51 +01:00			`Description\|startswith:`
$frack113$ Tune detection in win_renamed_powershell.yml 2021-07-03 15:18:01 +02:00			`- 'Windows PowerShell'`
			`- 'pwsh'`
rule: renamed powershell 2019-08-22 14:22:36 +02:00			`Company: 'Microsoft Corporation'`
			`filter:`
chore: increase rule status 2022-03-07 12:39:51 +01:00			`Image\|endswith:`
Update win_renamed_powershell.yml 2020-10-15 18:24:16 -03:00			`- '\powershell.exe'`
			`- '\powershell_ise.exe'`
$frack113$ Tune detection in win_renamed_powershell.yml 2021-07-03 15:18:01 +02:00			`- '\pwsh.exe'`
rule: renamed powershell 2019-08-22 14:22:36 +02:00			`condition: selection and not filter`
			`falsepositives:`
			`- Unknown`
			`level: critical`