Execution via CL_Invocation.ps1 (2 Lines)
Detects Execution via SyncInvoke in CL_Invocation.ps1 module
Sigma rule (View on GitHub)
1title: Execution via CL_Invocation.ps1 (2 Lines)
2id: f588e69b-0750-46bb-8f87-0e9320d57536
3status: unsupported
4description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
5references:
6 - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/
7 - https://twitter.com/bohops/status/948061991012327424
8author: oscd.community, Natalia Shornikova
9date: 2020/10/14
10modified: 2023/02/24
11tags:
12 - attack.defense_evasion
13 - attack.t1216
14logsource:
15 product: windows
16 category: ps_script
17 definition: 'Requirements: Script Block Logging must be enabled'
18detection:
19 selection:
20 ScriptBlockText|contains:
21 - 'CL_Invocation.ps1'
22 - 'SyncInvoke'
23 condition: selection | count(ScriptBlockText) by Computer > 2
24 # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
25 # PS > SyncInvoke c:\Evil.exe
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- Execution via CL_Mutexverifiers.ps1 (2 Lines)
- AWS Macie Evasion
- Defense evasion via process reimaging
- File Creation by Office Applications
- Files Dropped to Program Files by Non-Priviledged Process