This rule detects execution of PowerShell scripts located in the “C:\Users\Public” folder
title: Execution of Powershell Script in Public Folder
id: fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4
status: test
description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
references:
- https://www.mandiant.com/resources/evolution-of-fin7
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
modified: 2022-07-14
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- '-f C:\Users\Public'
- '-f "C:\Users\Public'
- '-f %Public%'
- '-fi C:\Users\Public'
- '-fi "C:\Users\Public'
- '-fi %Public%'
- '-fil C:\Users\Public'
- '-fil "C:\Users\Public'
- '-fil %Public%'
- '-file C:\Users\Public'
- '-file "C:\Users\Public'
- '-file %Public%'
condition: selection
falsepositives:
- Unlikely
level: high
imProcessCreate
| where (TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe") and (TargetProcessCommandLine contains "-f C:\\Users\\Public" or TargetProcessCommandLine contains "-f \"C:\\Users\\Public" or TargetProcessCommandLine contains "-f %Public%" or TargetProcessCommandLine contains "-fi C:\\Users\\Public" or TargetProcessCommandLine contains "-fi \"C:\\Users\\Public" or TargetProcessCommandLine contains "-fi %Public%" or TargetProcessCommandLine contains "-fil C:\\Users\\Public" or TargetProcessCommandLine contains "-fil \"C:\\Users\\Public" or TargetProcessCommandLine contains "-fil %Public%" or TargetProcessCommandLine contains "-file C:\\Users\\Public" or TargetProcessCommandLine contains "-file \"C:\\Users\\Public" or TargetProcessCommandLine contains "-file %Public%")| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |