programs using powershell directly without invocation of a dedicated interpreter.

Sample rules

Alternate PowerShell Hosts Pipe

source: sigma
technicques:
- t1059
- t1059.001

Description

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
  Image|contains:
  - :\Program Files\PowerShell\7-preview\pwsh.exe
  - :\Program Files\PowerShell\7\pwsh.exe
  - :\Windows\system32\dsac.exe
  - :\Windows\system32\inetsrv\w3wp.exe
  - :\Windows\System32\sdiagnhost.exe
  - :\Windows\system32\ServerManager.exe
  - :\Windows\system32\wbem\wmiprvse.exe
  - :\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
  - :\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  - :\Windows\System32\wsmprovhost.exe
  - :\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
  - :\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
filter_main_null:
  Image: null
filter_optional_azure_connected_machine_agent:
  Image|endswith: \GC\gc_worker.exe
  Image|startswith: C:\Program Files\AzureConnectedMachineAgent\GCArcService
filter_optional_citrix:
  Image|startswith: C:\Program Files\Citrix\
filter_optional_exchange:
  Image|startswith: C:\Program Files\Microsoft\Exchange Server\
filter_optional_sqlserver:
  Image|contains: \Microsoft SQL Server\
  Image|endswith: \Tools\Binn\SQLPS.exe
  Image|startswith:
  - C:\Program Files (x86)\
  - C:\Program Files\
selection:
  PipeName|startswith: \PSHost

Alternate PowerShell Hosts - PowerShell Module

source: sigma
technicques:
- t1059
- t1059.001

Description

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Detection logic

condition: selection and not 1 of filter_*
filter_adace:
  ContextInfo|contains: C:\Windows\system32\dsac.exe
filter_citrix:
  ContextInfo|contains: ConfigSyncRun.exe
filter_help_update:
  Payload|contains:
  - Update-Help
  - Failed to update Help for the module
filter_powershell:
  ContextInfo|contains:
  - = powershell
  - = C:\Windows\System32\WindowsPowerShell\v1.0\powershell
  - = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell
  - = C:/Windows/System32/WindowsPowerShell/v1.0/powershell
  - = C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell
filter_sdiagnhost:
  ContextInfo|contains: = C:\WINDOWS\System32\sdiagnhost.exe -Embedding
filter_winrm:
  ContextInfo|contains: C:\Windows\system32\wsmprovhost.exe -Embedding
selection:
  ContextInfo|contains: '*'