title: T1086 PowerShell Execution
ruletype: Sigma
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2019/09/12
description: Detects execution of PowerShell
detection:
  SELECTION_1:
    EventID: 17
  SELECTION_2:
    EventID: 18
  SELECTION_3:
    PipeName: \PSHost*
  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
falsepositives:
- Unknown
id: ac7102b4-9e1e-4802-9b4f-17c5524c015c
level: informational
logsource:
  category: pipe_created
  product: windows
modified: 2021/11/27
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
status: test
tags:
- attack.execution
- attack.t1059.001