From 9282f56cb0acf9e274212c3166569809dc1b7fb0 Mon Sep 17 00:00:00 2001
From: Erik <erino349@student.liu.se>
Date: Mon, 18 May 2026 18:08:58 +0200
Subject: [PATCH] Updated the detection logic and added the alias saps

---
 .../powershell_script/posh_ps_susp_start_process.yml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml
index f7528c4cf92..cdd1f2e6809 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml
@@ -4,9 +4,10 @@ status: test
 description: Powershell use PassThru option to start in background
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md
-    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7
+    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-process?view=powershell-7.6
 author: frack113
 date: 2022-01-15
+modified: 2026-05-18
 tags:
     - attack.stealth
     - attack.t1036.003
@@ -15,12 +16,15 @@ logsource:
     category: ps_script
     definition: 'Requirements: Script Block Logging must be enabled'
 detection:
-    selection:
+    selection_cmdlet:
+        ScriptBlockText|contains:
+            - 'Start-Process '
+            - 'saps '
+    selection_param:
         ScriptBlockText|contains|all:
-            - Start-Process
             - '-PassThru '
             - '-FilePath '
-    condition: selection
+    condition: all of selection_*
 falsepositives:
     - Legitimate PowerShell scripts
 level: medium