HackTool - Powerup Write Hijack DLL

Apr 28, 2026 · attack.persistence attack.privilege-escalation attack.execution attack.stealth attack.t1574.001 ·

Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).

Sigma rule (View on GitHub)

 1title: HackTool - Powerup Write Hijack DLL
 2id: 602a1f13-c640-4d73-b053-be9a2fa58b96
 3status: test
 4description: |
 5    Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.
 6    In it's default mode, it builds a self deleting .bat file which executes malicious command.
 7    The detection rule relies on creation of the malicious bat file (debug.bat by default).    
 8references:
 9    - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/
10author: Subhash Popuri (@pbssubhash)
11date: 2021-08-21
12modified: 2024-06-27
13tags:
14    - attack.persistence
15    - attack.privilege-escalation
16    - attack.execution
17    - attack.stealth
18    - attack.t1574.001
19logsource:
20    category: file_event
21    product: windows
22detection:
23    selection:
24        Image|endswith:
25            - '\powershell.exe'
26            - '\pwsh.exe'
27        TargetFilename|endswith: '.bat'
28    condition: selection
29falsepositives:
30    - Any powershell script that creates bat files # highly unlikely (untested)
31level: high

References

https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/

Read More

HackTool - Powerup Write Hijack DLL

Sigma rule (View on GitHub)

References

https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/

Related rules