security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4e9ef005c2906b6d5b1de02e51affe733477e7c6
blue-team-tools/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml
T
Djordje Lukic f33530e756 Merge PR #4994 from @djlukic - Multiple FP fixes 
update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add additional filters for third party AV
update: Suspicious Non PowerShell WSMAN COM Provider - Add new filter to cover the edge case where the `HostApplication` field is null
update: Renamed Powershell Under Powershell Channel - Add new filter to cover the edge case where the `HostApplication` field is null

---------
 
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2024-10-08 23:08:50 +02:00

38 lines
1.9 KiB
YAML
Raw Blame History

title: Renamed Powershell Under Powershell Channel
id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
status: test
description: |
Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Harish Segar, frack113
date: 2020-06-29
modified: 2024-10-08
tags:
- attack.execution
- attack.t1059.001
- attack.t1036.003
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains: 'HostName=ConsoleHost'
# Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer amount of possibilities. It's up to the user to add these cases.
filter_main_ps:
Data|contains:
- 'HostApplication=powershell'
- 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
- 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
# In some cases powershell was invoked with inverted slashes
- 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
- 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
filter_main_host_application_null:
# Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
# If you're already mapping and extracting the field, then obviously use that directly.
Data|re: 'HostId=[a-zA-Z0-9-]{36} EngineVersion='
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: low
Reference in New Issue View Git Blame Copy Permalink