Techniques
Sample rules
Potentially Suspicious PowerShell Child Processes
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects potentially suspicious child processes spawned by PowerShell
Detection logic
condition: selection and not 1 of filter_optional_*
filter_optional_amazon:
CommandLine|contains: \Program Files\Amazon\WorkspacesConfig\Scripts\
ParentCommandLine|contains: \Program Files\Amazon\WorkspacesConfig\Scripts\
selection:
Image|endswith:
- \bash.exe
- \bitsadmin.exe
- \certutil.exe
- \cscript.exe
- \forfiles.exe
- \hh.exe
- \mshta.exe
- \regsvr32.exe
- \rundll32.exe
- \schtasks.exe
- \scrcons.exe
- \scriptrunner.exe
- \sh.exe
- \wmic.exe
- \wscript.exe
ParentImage|endswith:
- \powershell_ise.exe
- \powershell.exe
- \pwsh.exe