security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8f8ce06ffb8d8fd3433dbffebccd33ec9d23e51a
blue-team-tools/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml
T
Fukusuke Takahashi 587da70c94 Merge PR #4519 from @fukusuket - Update PowerShell Classic Rule To Use Data Field 
update: Suspicious XOR Encoded PowerShell Command Line - PowerShell
update: Uncommon PowerShell Hosts
update: Delete Volume Shadow Copies Via WMI With PowerShell
update: PowerShell Downgrade Attack - PowerShell
update: PowerShell Called from an Executable Version Mismatch
update: Netcat The Powershell Version
update: Remote PowerShell Session (PS Classic)
update: Renamed Powershell Under Powershell Channel
update: Suspicious PowerShell Download
update: Use Get-NetTCPConnection
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell
update: Tamper Windows Defender - PSClassic
update: Suspicious Non PowerShell WSMAN COM Provider
update: Suspicious XOR Encoded PowerShell Command Line - PowerShell

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
2023-10-28 12:43:58 +02:00

32 lines
1.3 KiB
YAML
Raw Blame History

title: Renamed Powershell Under Powershell Channel
id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
status: test
description: Detects renamed powershell
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Harish Segar, frack113
date: 2020/06/29
modified: 2023/10/27
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains: 'HostName=ConsoleHost'
# Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer ammount of possibilities. It's up to the user to add these cases.
filter_main_ps:
Data|contains:
- 'HostApplication=powershell'
- 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
- 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
# In some cases powershell was invoked with inverted slashes
- 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
- 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: low
Reference in New Issue View Git Blame Copy Permalink