Detectionmediumtest

Windows PowerShell User Agent

Detects Windows PowerShell Web Access

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems)Created Mon Mar 13Updated Sat Nov 27c8557060-9221-4448-8794-96320e6f3e74web

Log Source

Proxy Log

CategoryProxy Log← raw: proxy

Detection Logic

detection:
    selection:
        c-useragent|contains: ' WindowsPowerShell/'
    condition: selection

False Positives

Administrative scripts that download files from the Internet

Administrative scripts that retrieve certain website contents

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

c8557060-9221-4448-8794-96320e6f3e74

Status

test

Level

medium

Type

Detection

Created

Mon Mar 13

Modified

Sat Nov 27

Author

Path

rules/web/proxy_generic/proxy_ua_powershell.yml

Raw Tags

attack.defense-evasionattack.command-and-controlattack.t1071.001