title: Alternate PowerShell Hosts
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/11
description: Detects alternate PowerShell hosts potentially bypassing detections looking
    for powershell.exe
detection:
    SELECTION_1:
        ContextInfo: '*'
    SELECTION_2:
        ContextInfo: '*powershell.exe*'
    condition: (SELECTION_1 and  not (SELECTION_2))
falsepositives:
- Programs using PowerShell directly without invocation of a dedicated interpreter
- MSP Detection Searcher
- Citrix ConfigSync.ps1
id: 64e8e417-c19a-475a-8d19-98ea705394cc
level: medium
logsource:
    category: ps_module
    definition: PowerShell Module Logging must be enabled
    product: windows
modified: 2021/10/16
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
status: test
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: powershell_alternate_powershell_hosts.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module