Techniques
Sample rules
PowerShell Script Dropped Via PowerShell.EXE
- source: sigma
- technicques:
Description
Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_appdata:
TargetFilename|contains: \AppData\Local\Temp\
TargetFilename|startswith: C:\Users\
filter_main_psscriptpolicytest:
TargetFilename|contains: __PSScriptPolicyTest_
filter_main_windows_temp:
TargetFilename|startswith: C:\Windows\Temp\
selection:
Image|endswith:
- \powershell.exe
- \pwsh.exe
TargetFilename|endswith: .ps1
Potential Binary Or Script Dropper Via PowerShell
- source: sigma
- technicques:
Description
Detects PowerShell creating a binary executable or a script file.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_admin_temp:
TargetFilename|endswith:
- .dll
- .exe
TargetFilename|startswith: C:\Windows\Temp\
filter_main_user_temp:
TargetFilename|contains: \AppData\Local\Temp\
TargetFilename|endswith:
- .dll
- .exe
TargetFilename|startswith: C:\Users\
selection:
Image|endswith:
- \powershell.exe
- \pwsh.exe
TargetFilename|endswith:
- .bat
- .chm
- .cmd
- .com
- .dll
- .exe
- .hta
- .jar
- .js
- .ocx
- .scr
- .sys
- .vbe
- .vbs
- .wsf