Techniques
Sample rules
Suspicious PowerShell Parent Process
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects a suspicious or uncommon parent processes of PowerShell
Detection logic
condition: all of selection_*
selection_parent:
- ParentImage|contains: tomcat
- ParentImage|endswith:
- \amigo.exe
- \browser.exe
- \chrome.exe
- \firefox.exe
- \httpd.exe
- \iexplore.exe
- \jbosssvc.exe
- \microsoftedge.exe
- \microsoftedgecp.exe
- \MicrosoftEdgeSH.exe
- \mshta.exe
- \nginx.exe
- \outlook.exe
- \php-cgi.exe
- \regsvr32.exe
- \rundll32.exe
- \safari.exe
- \services.exe
- \sqlagent.exe
- \sqlserver.exe
- \sqlservr.exe
- \vivaldi.exe
- \w3wp.exe
selection_powershell:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- CommandLine|contains:
- /c powershell
- /c pwsh
- Description: Windows PowerShell
- Product: PowerShell Core 6
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
Suspicious PowerShell Invocation From Script Engines
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects suspicious powershell invocations from interpreters or unusual programs
Detection logic
condition: selection and not 1 of filter_*
filter_health_service:
CurrentDirectory|contains: \Health Service State\
selection:
Image|endswith:
- \powershell.exe
- \pwsh.exe
ParentImage|endswith:
- \wscript.exe
- \cscript.exe