citrix configsync.ps1

Techniques

Sample rules

Alternate PowerShell Hosts - PowerShell Module

source: sigma
technicques:
- t1059
- t1059.001

Description

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Detection logic

condition: selection and not 1 of filter_*
filter_adace:
  ContextInfo|contains: C:\Windows\system32\dsac.exe
filter_citrix:
  ContextInfo|contains: ConfigSyncRun.exe
filter_help_update:
  Payload|contains:
  - Update-Help
  - Failed to update Help for the module
filter_powershell:
  ContextInfo|contains:
  - = powershell
  - = C:\Windows\System32\WindowsPowerShell\v1.0\powershell
  - = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell
  - = C:/Windows/System32/WindowsPowerShell/v1.0/powershell
  - = C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell
filter_sdiagnhost:
  ContextInfo|contains: = C:\WINDOWS\System32\sdiagnhost.exe -Embedding
filter_winrm:
  ContextInfo|contains: C:\Windows\system32\wsmprovhost.exe -Embedding
selection:
  ContextInfo|contains: '*'