Hi,
The issues I had reported earlier from numbers 4004 to 4009 are some of the examples which demonstrate the necessity to take into account all processes which can be related to PowerShell. In multiple Security Content's scenarios, we still see that not all possible values of process_name have been included, and the optimal way of structuring the search strings through the usage of process_powershell macro has been overlooked.
Apart from the necessity to look into scenarios involving the following data sources:
- Windows Event Log / Security / EventID 4688
- Windows / Sysmon / EventID 1
for process creation events related to PowerShell, and to use process_powershell in them instead of defining process_name independently in the search strings, there is yet one additional requirement which needs to be addressed; namely, to ensure that process_powershell macro is complete and accurate since its intended use is as a standard in all scenarios.
The current content of this macro is as follows:
(Processes.process_name=pwsh.exe OR Processes.process_name=powershell.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE)
There is a gap in one important process and that is PowerShell ISE (powershell_ise.exe)
When I looked at this I found out that when you run something in PowerShell ISE, including any cmdlets and binaries, the parent process is powershell_ise.exe.
To summarize:
-
Using the process_powershell macro is really important when we are dealing with data sources like EventID 4688 and Sysmon EventID 1 related to PowerShell process creation, to make sure we do not ignore processes like pwsh.exe and powershell_ise.exe
-
Update the process_powershell macro to include powershell_ise.exe as follows:
(Processes.process_name=pwsh.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.exe)
Thank you for your time and consideration.
Best regards
App Version:
Hi,
The issues I had reported earlier from numbers 4004 to 4009 are some of the examples which demonstrate the necessity to take into account all processes which can be related to PowerShell. In multiple Security Content's scenarios, we still see that not all possible values of process_name have been included, and the optimal way of structuring the search strings through the usage of process_powershell macro has been overlooked.
Apart from the necessity to look into scenarios involving the following data sources:
for process creation events related to PowerShell, and to use
process_powershellin them instead of defining process_name independently in the search strings, there is yet one additional requirement which needs to be addressed; namely, to ensure that process_powershell macro is complete and accurate since its intended use is as a standard in all scenarios.The current content of this macro is as follows:
(Processes.process_name=pwsh.exe OR Processes.process_name=powershell.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE)
There is a gap in one important process and that is PowerShell ISE (powershell_ise.exe)
When I looked at this I found out that when you run something in PowerShell ISE, including any cmdlets and binaries, the parent process is powershell_ise.exe.
To summarize:
Using the
process_powershellmacro is really important when we are dealing with data sources like EventID 4688 and Sysmon EventID 1 related to PowerShell process creation, to make sure we do not ignore processes like pwsh.exe and powershell_ise.exeUpdate the
process_powershellmacro to include powershell_ise.exe as follows:(Processes.process_name=pwsh.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.exe)
Thank you for your time and consideration.
Best regards
App Version: