cscli scenarios install sigmahq/proc_creation_win_powershell_public_folder1type: trigger2name: sigmahq/proc_creation_win_powershell_public_folder3description: |4 This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\powershell.exe' || evt.Parsed.Image endsWith '\\pwsh.exe') && (evt.Parsed.CommandLine contains '-f C:\\Users\\Public' || evt.Parsed.CommandLine contains '-f "C:\\Users\\Public' || evt.Parsed.CommandLine contains '-f %Public%' || evt.Parsed.CommandLine contains '-fi C:\\Users\\Public' || evt.Parsed.CommandLine contains '-fi "C:\\Users\\Public' || evt.Parsed.CommandLine contains '-fi %Public%' || evt.Parsed.CommandLine contains '-fil C:\\Users\\Public' || evt.Parsed.CommandLine contains '-fil "C:\\Users\\Public' || evt.Parsed.CommandLine contains '-fil %Public%' || evt.Parsed.CommandLine contains '-file C:\\Users\\Public' || evt.Parsed.CommandLine contains '-file "C:\\Users\\Public' || evt.Parsed.CommandLine contains '-file %Public%'))7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t1059.0011516 label: "Execution of Powershell Script in Public Folder"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324