Amsi.DLL Loaded Via LOLBIN Process

 1title: Amsi.DLL Loaded Via LOLBIN Process
 2id: 6ec86d9e-912e-4726-91a2-209359b999b9
 3status: experimental
 4description: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
 5references:
 6    - Internal Research
 7    - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/06/01
10modified: 2023/09/20
11tags:
12    - attack.defense_evasion
13logsource:
14    category: image_load
15    product: windows
16detection:
17    selection:
18        ImageLoaded|endswith: '\amsi.dll'
19        Image|endswith:
20            # TODO: Add more interesting processes
21            - '\ExtExport.exe'
22            - '\odbcconf.exe'
23            - '\regsvr32.exe'
24            - '\rundll32.exe'
25    condition: selection
26falsepositives:
27    - Unknown
28level: medium

References

• Internal Research

  
  Read More

• Stopping “PowerShell without PowerShell” Attacks - Palo Alto Networks Blog

  

  Cortex XDR researchers discuss the hard-to-detect "PowerShell without PowerShell" attacks and the important role Cortex XDR plays in defending against them.

  
  Read More

Related rules

• DLL Load By System Process From Suspicious Locations
• DNS Query Request By Regsvr32.EXE
• Greedy File Deletion Using Del
• OceanLotus Registry Activity
• OneNote Attachment File Dropped In Suspicious Location