Execution via CL_Mutexverifiers.ps1 (2 Lines)
Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
Sigma rule (View on GitHub)
1title: Execution via CL_Mutexverifiers.ps1 (2 Lines)
2id: 6609c444-9670-4eab-9636-fe4755a851ce
3status: unsupported
4description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
5references:
6 - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/
7 - https://twitter.com/pabraeken/status/995111125447577600
8author: oscd.community, Natalia Shornikova
9date: 2020/10/14
10modified: 2023/02/24
11tags:
12 - attack.defense_evasion
13 - attack.t1216
14logsource:
15 product: windows
16 category: ps_script
17 definition: 'Requirements: Script Block Logging must be enabled'
18detection:
19 selection:
20 ScriptBlockText|contains:
21 - 'CL_Mutexverifiers.ps1'
22 - 'runAfterCancelProcess'
23 condition: selection | count(ScriptBlockText) by Computer > 2
24 # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
25 # PS > runAfterCancelProcess c:\Evil.exe
26falsepositives:
27 - Unknown
28level: high
References
-
Import the PowerShell Diagnostic CL_Mutexverifiers script and call runAfterCancelProcess to launch an executable. . C:\Windows\diagnostics\system\AERO\CL_Mutexverifiers.ps1 \nrunAfterCancelProcess ...
Read More -
Related rules
- Execution via CL_Invocation.ps1 (2 Lines)
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
- Remote Code Execute via Winrm.vbs
- Potential Manage-bde.wsf Abuse To Proxy Execution
- AWS Macie Evasion