title: PowerShell PSAttack 
status: experimental
description: Detects the use of PSAttack PowerShell hack tool
reference: https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
    platform: windows
    product: powershell
    description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
    EventID: 4103
    keywords:
        - 'PS ATTACK!!!'
    condition: keywords
falsepositives:
    - Pentesters
level: high