← Back to Explore
sigmamediumHunting
Execute Code with Pester.bat
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
Detection Query
powershell_module:
Image|endswith:
- \powershell.exe
- \pwsh.exe
CommandLine|contains|all:
- Pester
- Get-Help
cmd_execution:
Image|endswith: \cmd.exe
CommandLine|contains|all:
- pester
- ;
get_help:
CommandLine|contains:
- help
- \?
condition: powershell_module or (cmd_execution and get_help)
Author
Julia Fomina, oscd.community
Created
2020-10-08
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1059.001attack.defense-evasionattack.t1216
Raw Content
title: Execute Code with Pester.bat
id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
status: test
description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
references:
- https://twitter.com/Oddvarmoe/status/993383596244258816
- https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md
author: Julia Fomina, oscd.community
date: 2020-10-08
modified: 2023-11-09
tags:
- attack.execution
- attack.t1059.001
- attack.defense-evasion
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
powershell_module:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains|all:
- 'Pester'
- 'Get-Help'
cmd_execution:
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- 'pester'
- ';'
get_help:
CommandLine|contains:
- 'help'
- '\?'
condition: powershell_module or (cmd_execution and get_help)
falsepositives:
- Legitimate use of Pester for writing tests for Powershell scripts and modules
level: medium