2020-10-07 15:19:45 +03:00
|
|
|
title: Execute Code with Pester.bat
|
|
|
|
|
id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
|
|
|
|
|
description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
|
|
|
|
|
status: experimental
|
|
|
|
|
references:
|
|
|
|
|
- https://twitter.com/Oddvarmoe/status/993383596244258816
|
|
|
|
|
author: Julia Fomina, oscd.community
|
2020-10-08 10:01:41 +03:00
|
|
|
date: 2020/10/08
|
2020-10-07 15:19:45 +03:00
|
|
|
tags:
|
2020-10-14 16:27:46 +03:00
|
|
|
- attack.execution
|
|
|
|
|
- attack.t1059.001
|
2020-10-14 16:57:58 +03:00
|
|
|
- attack.defense_evasion
|
|
|
|
|
- attack.t1216
|
2020-10-07 15:19:45 +03:00
|
|
|
logsource:
|
|
|
|
|
category: process_creation
|
|
|
|
|
product: windows
|
|
|
|
|
detection:
|
2020-10-08 10:01:41 +03:00
|
|
|
powershell_module:
|
2020-10-08 10:13:20 +03:00
|
|
|
Image|endswith: '\powershell.exe'
|
2020-10-07 15:19:45 +03:00
|
|
|
CommandLine|contains|all:
|
|
|
|
|
- 'Pester'
|
2020-10-08 10:01:41 +03:00
|
|
|
- 'Get-Help'
|
|
|
|
|
cmd_execution:
|
2020-10-07 15:19:45 +03:00
|
|
|
Image|endswith: '\cmd.exe'
|
2020-10-08 10:01:41 +03:00
|
|
|
CommandLine|contains|all:
|
2020-10-08 10:13:20 +03:00
|
|
|
- 'pester'
|
2020-10-08 10:01:41 +03:00
|
|
|
- ';'
|
|
|
|
|
get_help:
|
2020-10-07 15:19:45 +03:00
|
|
|
CommandLine|contains:
|
2020-10-09 09:23:35 +03:00
|
|
|
- 'help'
|
|
|
|
|
- '?'
|
2020-10-08 10:01:41 +03:00
|
|
|
condition: powershell_module or (cmd_execution and get_help)
|
2020-10-07 15:19:45 +03:00
|
|
|
level: medium
|
|
|
|
|
falsepositives:
|
|
|
|
|
- Legitimate use of Pester for writing tests for Powershell scripts and modules
|
