← Library
sigmaDRL-1.1from SigmaHQ/sigma

Renamed Powershell Under Powershell Channel

Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.

Quality
76
FP risk
Forks
0
Views
0
ATT&CK techniques
T1059.001T1036.003
Rule sourcerules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml
title: Renamed Powershell Under Powershell Channel
id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
status: test
description: |
    Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Harish Segar, frack113
date: 2020-06-29
modified: 2025-01-20
tags:
    - attack.execution
    - attack.defense-evasion
    - attack.t1059.001
    - attack.t1036.003
logsource:
    product: windows
    category: ps_classic_start
detection:
    selection:
        Data|contains: 'HostName=ConsoleHost'
    # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer amount of possibilities. It's up to the user to add these cases.
    filter_main_ps:
        Data|contains:
            - 'HostApplication=powershell'
            - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
            - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
            # In some cases powershell was invoked with inverted slashes
            - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
            - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
            - 'HostApplication=C:\\\\WINDOWS\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'
            - 'HostApplication=C:\\\\WINDOWS\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'
    filter_main_host_application_null:
        # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
        # If you're already mapping and extracting the field, then obviously use that directly.
        Data|re: 'HostId=[a-zA-Z0-9-]{36}\s+EngineVersion='
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: low