EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Alternate PowerShell Hosts Pipe

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

MITRE ATT&CK

T1059.001
execution

Detection Query

selection:
  PipeName|startswith: \PSHost
filter_main_generic:
  - Image|contains:
      - :\Program Files\PowerShell\7-preview\pwsh.exe
      - :\Program Files\PowerShell\7\pwsh.exe
      - :\Windows\system32\dsac.exe
      - :\Windows\system32\inetsrv\w3wp.exe
      - :\Windows\System32\sdiagnhost.exe
      - :\Windows\system32\ServerManager.exe
      - :\Windows\system32\wbem\wmiprvse.exe
      - :\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
      - :\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      - :\Windows\System32\wsmprovhost.exe
      - :\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
      - :\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  - Image|contains|all:
      - C:\Program Files\WindowsApps\Microsoft.PowerShellPreview
      - \pwsh.exe
  - Image|contains|all:
      - \AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview
      - \pwsh.exe
filter_optional_sqlserver:
  Image|startswith:
    - C:\Program Files (x86)\
    - C:\Program Files\
  Image|contains: \Microsoft SQL Server\
  Image|endswith: \Tools\Binn\SQLPS.exe
filter_optional_azure_connected_machine_agent:
  Image|startswith: C:\Program Files\AzureConnectedMachineAgent\GCArcService
  Image|endswith: \GC\gc_worker.exe
filter_optional_citrix:
  Image|startswith: C:\Program Files\Citrix\
filter_optional_exchange:
  Image|startswith: C:\Program Files\Microsoft\Exchange Server\
filter_main_null:
  Image: null
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

Author

Roberto Rodriguez @Cyb3rWard0g, Tim Shelton

Created

2019-09-12

Data Sources

windowsNamed Pipe Events

Platforms

windows

References

Tags

attack.executionattack.t1059.001
Raw Content
title: Alternate PowerShell Hosts Pipe
id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
related:
    - id: ac7102b4-9e1e-4802-9b4f-17c5524c015c
      type: derived
status: test
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
references:
    - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
    - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
date: 2019-09-12
modified: 2025-10-07
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName|startswith: '\PSHost'
    filter_main_generic:
        - Image|contains:
              - ':\Program Files\PowerShell\7-preview\pwsh.exe' # Powershell 7
              - ':\Program Files\PowerShell\7\pwsh.exe' # Powershell 7
              - ':\Windows\system32\dsac.exe'
              - ':\Windows\system32\inetsrv\w3wp.exe'   # this is sad :,( but it triggers FPs on Exchange servers
              - ':\Windows\System32\sdiagnhost.exe'
              - ':\Windows\system32\ServerManager.exe'
              - ':\Windows\system32\wbem\wmiprvse.exe'
              - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
              - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              - ':\Windows\System32\wsmprovhost.exe'
              - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
              - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
        - Image|contains|all:
              - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
              - '\pwsh.exe'
        - Image|contains|all:
              - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
              - '\pwsh.exe'
    filter_optional_sqlserver: # Microsoft SQL Server\130\Tools\
        Image|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
        Image|contains: '\Microsoft SQL Server\'
        Image|endswith: '\Tools\Binn\SQLPS.exe'
    filter_optional_azure_connected_machine_agent:
        # Azure Connected Machine Agent (https://devblogs.microsoft.com/powershell/azure-policy-guest-configuration-client/)
        Image|startswith: 'C:\Program Files\AzureConnectedMachineAgent\GCArcService'
        Image|endswith: '\GC\gc_worker.exe'
    filter_optional_citrix:
        Image|startswith: 'C:\Program Files\Citrix\'
    filter_optional_exchange:
        Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
    filter_main_null:
        Image: null
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Programs using PowerShell directly without invocation of a dedicated interpreter.
level: medium