Amsi.DLL Loaded Via LOLBIN Process
Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
Sigma rule (View on GitHub)
1title: Amsi.DLL Loaded Via LOLBIN Process
2id: 6ec86d9e-912e-4726-91a2-209359b999b9
3status: test
4description: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
5references:
6 - Internal Research
7 - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-06-01
10modified: 2023-09-20
11tags:
12 - attack.defense-evasion
13logsource:
14 category: image_load
15 product: windows
16detection:
17 selection:
18 ImageLoaded|endswith: '\amsi.dll'
19 Image|endswith:
20 # TODO: Add more interesting processes
21 - '\ExtExport.exe'
22 - '\odbcconf.exe'
23 - '\regsvr32.exe'
24 - '\rundll32.exe'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium
References
-
Cortex XDR researchers discuss the hard-to-detect "PowerShell without PowerShell" attacks and the important role Cortex XDR plays in defending against them.
Read More
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity