LoFP / possible depending on environment. pair with other factors such as net connections, command-line args, etc.

Techniques

• t1127

Sample rules

Suspicious Use of CSharp Interactive Console

• source: sigma
• technicques:
  • t1127

Description

Detects the execution of CSharp interactive console by PowerShell

Detection logic

condition: selection
selection:
  Image|endswith: \csi.exe
  OriginalFileName: csi.exe
  ParentImage|endswith:
  - \powershell.exe
  - \pwsh.exe
  - \powershell_ise.exe