Techniques
Sample rules
Execute Code with Pester.bat as Parent
- source: sigma
- technicques:
- t1059
- t1059.001
- t1216
Description
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
Detection logic
condition: all of selection_*
selection_cli:
ParentCommandLine|contains:
- '{ Invoke-Pester -EnableExit ;'
- '{ Get-Help "'
selection_module:
ParentCommandLine|contains: \WindowsPowerShell\Modules\Pester\
ParentImage|endswith:
- \powershell.exe
- \pwsh.exe
Execute Code with Pester.bat
- source: sigma
- technicques:
- t1059
- t1059.001
- t1216
Description
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
Detection logic
cmd_execution:
CommandLine|contains|all:
- pester
- ;
Image|endswith: \cmd.exe
condition: powershell_module or (cmd_execution and get_help)
get_help:
CommandLine|contains:
- help
- \?
powershell_module:
CommandLine|contains|all:
- Pester
- Get-Help
Image|endswith:
- \powershell.exe
- \pwsh.exe