Threat Huntmediumtest

Uncommon PowerShell Hosts

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Roberto Rodriguez (Cyb3rWard0g)Created Sun Aug 11Updated Wed Oct 22d7326048-328b-4d5e-98af-86e84b17c765windows

Hunting Hypothesis

Log Source

WindowsPowerShell Classic

ProductWindows← raw: windows

CategoryPowerShell Classic← raw: ps_classic_start

Detection Logic

detection:
    selection:
        Data|contains: 'HostApplication='
    # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer ammount of possibilities. It's up to the user to add these cases.
    filter_main_ps:
        Data|contains:
            - 'HostApplication=?:/Windows/System32/WindowsPowerShell/v1.0/powershell' # In some cases powershell was invoked with inverted slashes
            - 'HostApplication=?:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell' # In some cases powershell was invoked with inverted slashes
            - 'HostApplication=?:\Windows\System32\sdiagnhost.exe'
            - 'HostApplication=?:\Windows\System32\WindowsPowerShell\v1.0\powershell'
            - 'HostApplication=?:\Windows\SysWOW64\sdiagnhost.exe'
            - 'HostApplication=?:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
            - 'HostApplication=powershell'
    filter_optional_citrix:
        Data|contains: 'Citrix\ConfigSync\ConfigSync.ps1'
    filter_optional_hexnode:
        Data|contains: 'HostApplication=C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*