Powerup Write Hijack DLL
Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).
Sigma rule (View on GitHub)
1title: Powerup Write Hijack DLL
2id: 602a1f13-c640-4d73-b053-be9a2fa58b96
3status: test
4description: |
5 Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.
6 In it's default mode, it builds a self deleting .bat file which executes malicious command.
7 The detection rule relies on creation of the malicious bat file (debug.bat by default).
8references:
9 - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/
10author: Subhash Popuri (@pbssubhash)
11date: 2021/08/21
12modified: 2022/10/09
13tags:
14 - attack.persistence
15 - attack.privilege_escalation
16 - attack.defense_evasion
17 - attack.t1574.001
18logsource:
19 category: file_event
20 product: windows
21detection:
22 selection:
23 Image|endswith:
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 TargetFilename|endswith: '.bat'
27 condition: selection
28falsepositives:
29 - Any powershell script that creates bat files # highly unlikely (untested)
30level: high
References
-
Write-HijackDll SYNOPSIS Patches in the path to a specified .bat (containing the specified command) into a pre-compiled hijackable C++ DLL writes the DLL out to the specified ServicePath location. ...
Read More
Related rules
- Possible Privilege Escalation via Weak Service Permissions
- Fax Service DLL Search Order Hijack
- UAC Bypass With Fake DLL
- File Download Via Bitsadmin
- Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE