Techniques
Sample rules
Suspicious PowerShell Invocation From Script Engines
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects suspicious powershell invocations from interpreters or unusual programs
Detection logic
condition: selection and not 1 of filter_*
filter_health_service:
CurrentDirectory|contains: \Health Service State\
selection:
Image|endswith:
- \powershell.exe
- \pwsh.exe
ParentImage|endswith:
- \wscript.exe
- \cscript.exe