From 5f9264bd029071b37a49f0078fbc593d67afc9ba Mon Sep 17 00:00:00 2001
From: Connor Carnes <connor.carnes@rackspace.com>
Date: Fri, 27 Jan 2023 19:30:51 -0600
Subject: [PATCH] Add pwsh.exe to list of suspicious Windows tools

---
 sysmonconfig-export.xml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 028d373..08d72bf 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -301,8 +301,9 @@
 			<Image condition="image">net1.exe</Image> <!--Windows: Launched by "net.exe", but it may not detect connections either -->
 			<Image condition="image">notepad.exe</Image> <!--Windows: [ https://secrary.com/ReversingMalware/CoinMiner/ ] [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
 			<Image condition="image">nslookup.exe</Image> <!--Windows: Retrieve data over DNS -->
-			<Image condition="image">powershell.exe</Image> <!--Windows: PowerShell interface-->
+			<Image condition="image">powershell.exe</Image> <!--Windows: PowerShell interface-->
 			<Image condition="image">powershell_ise.exe</Image> <!--Windows: PowerShell interface-->
+			<Image condition="image">pwsh.exe</Image> <!--Windows: PowerShell Version 6 and above interface-->
 			<Image condition="image">qprocess.exe</Image> <!--Windows: [ https://www.first.org/resources/papers/conf2017/APT-Log-Analysis-Tracking-Attack-Tools-by-Audit-Policy-and-Sysmon.pdf ] -->
 			<Image condition="image">qwinsta.exe</Image> <!--Windows: Query remote sessions | Credit @ion-storm -->
 			<Image condition="image">qwinsta.exe</Image> <!--Windows: Remotely query login sessions on a server or workstation | Credit @ion-storm -->