PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language.
Adversaries may use PowerShell to perform malicious activities. There are a lot of detection strategies to find malicious PowerShell activities. PowerShell’s capabilities allow you to simplify and automate tedious and repetitive tasks by creating scripts and combining multiple commands.
Recently hackers introduced a new way to bypass PowerShell detections. They are able to use PowerShell dlls in their binaries to perform malicious PowerShell activities.
With this free Sigma rule, you can detect and monitor binaries that use Powershell dlls.
title: Detect powershell_without_powershell attacks
description: powershell does not equal powershell.exe. Adversaries may use powershell dlls to perform their malicious powershell activities
author: Francesco Marcini
condition: selection 1
To use this detection rule, you can convert it to your SIEM language.
You can also check out our previous detection rule via Sigma.
Adversaries can also use PowerShell to download malicious codes or upload sensitive information. With this free sigma rule, you can monitor network connections that originated from powershell.exe.
Secure Your Organization’s Mind with Securemind.se