Techniques
Sample rules
Suspicious Interactive PowerShell as SYSTEM
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
Detection logic
condition: selection
selection:
TargetFilename:
- C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
- C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive