sigmahighHunting

Suspicious Interactive PowerShell as SYSTEM

Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context

MITRE ATT&CK

execution

Detection Query

selection:
  TargetFilename:
    - C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    - C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2021-12-07

Data Sources

windowsFile Events

Platforms

windows

References

https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm

Tags

attack.executionattack.t1059.001

Raw Content

title: Suspicious Interactive PowerShell as SYSTEM
id: 5b40a734-99b6-4b98-a1d0-1cea51a08ab2
status: test
description: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm
author: Florian Roth (Nextron Systems)
date: 2021-12-07
modified: 2022-08-13
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename:
            - 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt'
            - 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive'
    condition: selection
falsepositives:
    - Administrative activity
    - PowerShell scripts running as SYSTEM user
level: high