detection.wiki

Detection rules › Sigma

Execution of Powershell Script in Public Folder

Severity
high
Author
Max Altgelt (Nextron Systems)
Source
upstream

This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059.001 Command and Scripting Interpreter: PowerShell

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: selection

or:
CommandLine|contains: '-f %Public%'
CommandLine|contains: '-f C:\Users\Public'
CommandLine|contains: '-f "C:\Users\Public'
CommandLine|contains: '-fi %Public%'
CommandLine|contains: '-fi C:\Users\Public'
CommandLine|contains: '-fi "C:\Users\Public'
CommandLine|contains: '-fil %Public%'
CommandLine|contains: '-fil C:\Users\Public'
CommandLine|contains: '-fil "C:\Users\Public'
CommandLine|contains: '-file %Public%'
CommandLine|contains: '-file C:\Users\Public'
CommandLine|contains: '-file "C:\Users\Public'
or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • -f "C:\Users\Public
  • -f %Public%
  • -f C:\Users\Public
  • -fi "C:\Users\Public
  • -fi %Public%
  • -fi C:\Users\Public
  • -fil "C:\Users\Public
  • -fil %Public%
  • -fil C:\Users\Public
  • -file "C:\Users\Public
  • -file %Public%
  • -file C:\Users\Public
Imageends_with
  • \powershell.exe corpus 143 (sigma 143)
  • \pwsh.exe corpus 140 (sigma 140)