title: Accessing WinAPI in PowerShell. Code Injection
id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
status: test
description: Detects the creation of a remote thread from a Powershell process to another process
author: Nikita Nazarov, oscd.community
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
date: 2020/10/06
modified: 2022/08/12
logsource:
    product: windows
    category: create_remote_thread
    definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config'
detection:
    selection:
        SourceImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    filter_powershell:
        SourceParentImage: 'C:\Windows\System32\CompatTelRunner.exe'
    condition: selection and not 1 of filter*
falsepositives:
    - Unknown
level: high
tags:
    - attack.execution
    - attack.t1059.001