title: Alternate PowerShell Hosts Pipe
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/09/12
description: Detects alternate PowerShell hosts potentially bypassing detections looking
    for powershell.exe
detection:
    SELECTION_1:
        EventID: 17
    SELECTION_2:
        EventID: 18
    SELECTION_3:
        PipeName: \PSHost*
    SELECTION_4:
        Image: '*\powershell.exe'
    SELECTION_5:
        Image: '*\powershell_ise.exe'
    condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and  not ((SELECTION_4
        or SELECTION_5)))
falsepositives:
- Programs using PowerShell directly without invocation of a dedicated interpreter.
fields:
- ComputerName
- User
- Image
- PipeName
id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
level: medium
logsource:
    category: pipe_created
    product: windows
modified: 2019/11/10
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
status: experimental
tags:
- attack.execution
- attack.t1086
- attack.t1059.001
yml_filename: sysmon_alternate_powershell_hosts_pipe.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created