Detection rules › Sigma
Renamed Powershell Under Powershell Channel
Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
| Defense Evasion | T1036.003 Masquerading: Rename Legitimate Utilities |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| PowerShell | 400 |
Stages and Predicates
Stage 1: selection
Data|contains: 'HostName=ConsoleHost'
Stage 2: not 1 of filter_main_*
or:
Data|contains: 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
Data|contains: 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
Data|contains: 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
Data|contains: 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
Data|contains: 'HostApplication=C:\\\\WINDOWS\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'
Data|contains: 'HostApplication=C:\\\\WINDOWS\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'
Data|contains: 'HostApplication=powershell'
Data|re: 'HostId=[a-zA-Z0-9-]{36}\s+EngineVersion='
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Data | match |
|
Data | regex_match |
|