
Summary
This detection rule identifies the creation of specific files associated with the interactive use of PowerShell in the SYSTEM user context on Windows systems. The target files include configuration and historical logs indicating that a user has interacted with PowerShell, potentially leading to suspicious behavior or malicious activities when executed as the SYSTEM user. The relevant files are checked for their existence and modification, and if detected, they may indicate unwanted or unauthorized activity, including the use of PowerShell in ways that may bypass typical security measures due to the elevated privileges of the SYSTEM user. Given the nature of PowerShell as a powerful scripting language, detection of its misuse is crucial for maintaining system integrity and security. False positives may arise from legitimate administrative actions or routine PowerShell scripting tasks that require SYSTEM privileges. Proper monitoring is required to assess the context of these detections effectively.
Categories
- Windows
- Endpoint
Data Sources
- File
Created: 2021-12-07