Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Powershell Execute Batch Script

Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Sun Jan 02b5522a23-82da-44e5-9c8b-e10ed8955f88windows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic2 selectors
detection:
    selection_start:
        ScriptBlockText|contains: Start-Process
    selection_batch:
        ScriptBlockText|contains:
            - '.cmd'
            - '.bat'
    condition: all of selection_*
False Positives

Legitimate administration script

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
b5522a23-82da-44e5-9c8b-e10ed8955f88
Status
test
Level
medium
Type
Detection
Created
Sun Jan 02
Author
François Hubaut
Path
rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml
Raw Tags
attack.executionattack.t1059.003
View on GitHub