← Back to Explore
sigmamediumHunting
PowerShell Script Run in AppData
Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
Detection Query
selection1:
CommandLine|contains:
- powershell.exe
- \powershell
- \pwsh
- pwsh.exe
selection2:
CommandLine|contains|all:
- "/c "
- \AppData\
CommandLine|contains:
- Local\
- Roaming\
condition: all of selection*
Author
Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
Created
2019-01-09
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1059.001
Raw Content
title: PowerShell Script Run in AppData
id: ac175779-025a-4f12-98b0-acdaeb77ea85
status: test
description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
references:
- https://twitter.com/JohnLaTwC/status/1082851155481288706
- https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2019-01-09
modified: 2022-07-14
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- 'powershell.exe'
- '\powershell'
- '\pwsh'
- 'pwsh.exe'
selection2:
CommandLine|contains|all:
- '/c '
- '\AppData\'
CommandLine|contains:
- 'Local\'
- 'Roaming\'
condition: all of selection*
falsepositives:
- Administrative scripts
level: medium