Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Alternate PowerShell Hosts Pipe

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Roberto Rodriguez (Cyb3rWard0g), Tim SheltonCreated Thu Sep 12Updated Tue Oct 0758cb02d5-78ce-4692-b3e1-dce850aae41awindows
Log Source
WindowsNamed Pipe Created
ProductWindows← raw: windows
CategoryNamed Pipe Created← raw: pipe_created

Definition

Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575

Detection Logic
Detection Logic7 selectors
detection:
    selection:
        PipeName|startswith: '\PSHost'
    filter_main_generic:
        - Image|contains:
              - ':\Program Files\PowerShell\7-preview\pwsh.exe' # Powershell 7
              - ':\Program Files\PowerShell\7\pwsh.exe' # Powershell 7
              - ':\Windows\system32\dsac.exe'
              - ':\Windows\system32\inetsrv\w3wp.exe'   # this is sad :,( but it triggers FPs on Exchange servers
              - ':\Windows\System32\sdiagnhost.exe'
              - ':\Windows\system32\ServerManager.exe'
              - ':\Windows\system32\wbem\wmiprvse.exe'
              - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
              - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              - ':\Windows\System32\wsmprovhost.exe'
              - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
              - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
        - Image|contains|all:
              - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
              - '\pwsh.exe'
        - Image|contains|all:
              - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
              - '\pwsh.exe'
    filter_optional_sqlserver: # Microsoft SQL Server\130\Tools\
        Image|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
        Image|contains: '\Microsoft SQL Server\'
        Image|endswith: '\Tools\Binn\SQLPS.exe'
    filter_optional_azure_connected_machine_agent:
        # Azure Connected Machine Agent (https://devblogs.microsoft.com/powershell/azure-policy-guest-configuration-client/)
        Image|startswith: 'C:\Program Files\AzureConnectedMachineAgent\GCArcService'
        Image|endswith: '\GC\gc_worker.exe'
    filter_optional_citrix:
        Image|startswith: 'C:\Program Files\Citrix\'
    filter_optional_exchange:
        Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
    filter_main_null:
        Image: null
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

Programs using PowerShell directly without invocation of a dedicated interpreter.

References
1
Resolving title…
threathunterplaybook.com
2
Resolving title…
threathunterplaybook.com
MITRE ATT&CK
Related Rules
DerivedDetectioninformational

New PowerShell Instance Created

Detects the execution of PowerShell via the creation of a named pipe starting with PSHost

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
58cb02d5-78ce-4692-b3e1-dce850aae41a
Status
test
Level
medium
Type
Detection
Created
Thu Sep 12
Modified
Tue Oct 07
Author
Roberto Rodriguez (Cyb3rWard0g), Tim Shelton
Path
rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml
Raw Tags
attack.executionattack.t1059.001
View on GitHub