Rule Content
- title: PowerShell Script Run in AppData
id: ac175779-025a-4f12-98b0-acdaeb77ea85
status: experimental
description: Detects a suspicious command line execution that invokes PowerShell
with reference to an AppData folder
references:
- https://twitter.com/JohnLaTwC/status/1082851155481288706
- https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
tags:
- attack.execution
- attack.t1086
author: Florian Roth
date: 2019/01/09
logsource:
category: process_creation
product: windows
service: null
detection:
selection:
CommandLine:
- '* /c powershell*\AppData\Local\\*'
- '* /c powershell*\AppData\Roaming\\*'
condition: selection
falsepositives:
- Administrative scripts
level: medium