rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml

title: T1086 PowerShell Execution
id: ac7102b4-9e1e-4802-9b4f-17c5524c015c
description: Detects execution of PowerShell
status: experimental
date: 2019/09/12
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
    - attack.execution
    - attack.t1059.001
references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
logsource:
    product: windows
    category: pipe_created
detection:
    selection:
        PipeName|startswith: '\PSHost'
    condition: selection
falsepositives:
    - Unknown
level: informational
10 rules from THP - contributing soon 2020-10-12 15:42:34 -04:00			`title: T1086 PowerShell Execution`
			`id: ac7102b4-9e1e-4802-9b4f-17c5524c015c`
			`description: Detects execution of PowerShell`
			`status: experimental`
			`date: 2019/09/12`
			`author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)`
			`tags:`
			`- attack.execution`
			`- attack.t1059.001`
			`references:`
			`- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html`
			`logsource:`
			`product: windows`
- Modified rules to use categories instead of hardcoded event IDs 2021-04-15 01:40:31 +02:00			`category: pipe_created`
10 rules from THP - contributing soon 2020-10-12 15:42:34 -04:00			`detection:`
Fixes&improvements 2021-04-08 00:32:01 +02:00			`selection:`
			`PipeName\|startswith: '\PSHost'`
10 rules from THP - contributing soon 2020-10-12 15:42:34 -04:00			`condition: selection`
			`falsepositives:`
			`- Unknown`
Fixes&improvements 2021-04-08 00:32:01 +02:00			`level: informational`