Amsi.DLL Loaded Via LOLBIN Process
Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
Sigma rule (View on GitHub)
1title: Amsi.DLL Loaded Via LOLBIN Process
2id: 6ec86d9e-912e-4726-91a2-209359b999b9
3status: experimental
4description: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
5references:
6 - Internal Research
7 - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023/06/01
10modified: 2023/09/20
11tags:
12 - attack.defense_evasion
13logsource:
14 category: image_load
15 product: windows
16detection:
17 selection:
18 ImageLoaded|endswith: '\amsi.dll'
19 Image|endswith:
20 # TODO: Add more interesting processes
21 - '\ExtExport.exe'
22 - '\odbcconf.exe'
23 - '\regsvr32.exe'
24 - '\rundll32.exe'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium
References
Related rules
- DLL Load By System Process From Suspicious Locations
- DNS Query Request By Regsvr32.EXE
- Greedy File Deletion Using Del
- OceanLotus Registry Activity
- OneNote Attachment File Dropped In Suspicious Location