← Back to Explore
sigmahighHunting
Execution of Powershell Script in Public Folder
This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
Detection Query
selection:
Image|endswith:
- \powershell.exe
- \pwsh.exe
CommandLine|contains:
- -f C:\Users\Public
- -f "C:\Users\Public
- -f %Public%
- -fi C:\Users\Public
- -fi "C:\Users\Public
- -fi %Public%
- -fil C:\Users\Public
- -fil "C:\Users\Public
- -fil %Public%
- -file C:\Users\Public
- -file "C:\Users\Public
- -file %Public%
condition: selection
Author
Max Altgelt (Nextron Systems)
Created
2022-04-06
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.executionattack.t1059.001
Raw Content
title: Execution of Powershell Script in Public Folder
id: fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4
status: test
description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
references:
- https://www.mandiant.com/resources/evolution-of-fin7
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
modified: 2022-07-14
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- '-f C:\Users\Public'
- '-f "C:\Users\Public'
- '-f %Public%'
- '-fi C:\Users\Public'
- '-fi "C:\Users\Public'
- '-fi %Public%'
- '-fil C:\Users\Public'
- '-fil "C:\Users\Public'
- '-fil %Public%'
- '-file C:\Users\Public'
- '-file "C:\Users\Public'
- '-file %Public%'
condition: selection
falsepositives:
- Unlikely
level: high