Execution via CL_Mutexverifiers.ps1 (2 Lines)
Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
Sigma rule (View on GitHub)
1title: Execution via CL_Mutexverifiers.ps1 (2 Lines)
2id: 6609c444-9670-4eab-9636-fe4755a851ce
3status: unsupported
4description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
5references:
6 - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/
7 - https://twitter.com/pabraeken/status/995111125447577600
8author: oscd.community, Natalia Shornikova
9date: 2020/10/14
10modified: 2023/02/24
11tags:
12 - attack.defense_evasion
13 - attack.t1216
14logsource:
15 product: windows
16 category: ps_script
17 definition: 'Requirements: Script Block Logging must be enabled'
18detection:
19 selection:
20 ScriptBlockText|contains:
21 - 'CL_Mutexverifiers.ps1'
22 - 'runAfterCancelProcess'
23 condition: selection | count(ScriptBlockText) by Computer > 2
24 # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
25 # PS > runAfterCancelProcess c:\Evil.exe
26falsepositives:
27 - Unknown
28level: high
References
-
CL_Mutexverifiers.ps1 is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Execution via CL_Invocation.ps1 (2 Lines)
- AWS Macie Evasion
- Defense evasion via process reimaging
- File Creation by Office Applications
- Files Dropped to Program Files by Non-Priviledged Process