title: Alternate PowerShell Hosts
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/11
description: Detects alternate PowerShell hosts potentially bypassing detections looking
    for powershell.exe
detection:
    SELECTION_1:
        HostApplication: '*'
    SELECTION_2:
        HostApplication: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe*
    condition: (SELECTION_1 and  not (SELECTION_2))
falsepositives:
- Programs using PowerShell directly without invocation of a dedicated interpreter
- MSP Detection Searcher
- Citrix ConfigSync.ps1
id: d7326048-328b-4d5e-98af-86e84b17c765
level: medium
logsource:
    category: ps_classic_start
    definition: fields have to be extract from event
    product: windows
modified: 2021/10/16
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
related:
-   id: 64e8e417-c19a-475a-8d19-98ea705394cc
    type: derived
status: test
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: powershell_classic_alternate_powershell_hosts.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic