title: Renamed Powershell Under Powershell Channel id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592 status: test description: | Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Harish Segar, frack113 date: 2020-06-29 modified: 2025-01-20 tags: - attack.execution - attack.defense-evasion - attack.t1059.001 - attack.t1036.003 logsource: product: windows category: ps_classic_start detection: selection: Data|contains: 'HostName=ConsoleHost' # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer amount of possibilities. It's up to the user to add these cases. filter_main_ps: Data|contains: - 'HostApplication=powershell' - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell' - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell' # In some cases powershell was invoked with inverted slashes - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell' - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell' - 'HostApplication=C:\\\\WINDOWS\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' - 'HostApplication=C:\\\\WINDOWS\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' filter_main_host_application_null: # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex. # If you're already mapping and extracting the field, then obviously use that directly. Data|re: 'HostId=[a-zA-Z0-9-]{36}\s+EngineVersion=' condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: low