sigmalowHunting

Renamed Powershell Under Powershell Channel

Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.

MITRE ATT&CK

T1059.001 T1036.003

executiondefense-evasion

Detection Query

selection:
  Data|contains: HostName=ConsoleHost
filter_main_ps:
  Data|contains:
    - HostApplication=powershell
    - HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell
    - HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell
    - HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell
    - HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell
    - HostApplication=C:\\\\WINDOWS\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe
    - HostApplication=C:\\\\WINDOWS\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe
filter_main_host_application_null:
  Data|re: HostId=[a-zA-Z0-9-]{36}\s+EngineVersion=
condition: selection and not 1 of filter_main_*

Author

Harish Segar, frack113

Created

2020-06-29

Data Sources

windowsps_classic_start

Platforms

windows

References

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse

Tags

attack.executionattack.defense-evasionattack.t1059.001attack.t1036.003

Raw Content

title: Renamed Powershell Under Powershell Channel
id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
status: test
description: |
    Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Harish Segar, frack113
date: 2020-06-29
modified: 2025-01-20
tags:
    - attack.execution
    - attack.defense-evasion
    - attack.t1059.001
    - attack.t1036.003
logsource:
    product: windows
    category: ps_classic_start
detection:
    selection:
        Data|contains: 'HostName=ConsoleHost'
    # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer amount of possibilities. It's up to the user to add these cases.
    filter_main_ps:
        Data|contains:
            - 'HostApplication=powershell'
            - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
            - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
            # In some cases powershell was invoked with inverted slashes
            - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
            - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
            - 'HostApplication=C:\\\\WINDOWS\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'
            - 'HostApplication=C:\\\\WINDOWS\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'
    filter_main_host_application_null:
        # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
        # If you're already mapping and extracting the field, then obviously use that directly.
        Data|re: 'HostId=[a-zA-Z0-9-]{36}\s+EngineVersion='
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: low