PowerShell Core DLL Loaded By Non PowerShell Process

 1title: PowerShell Core DLL Loaded By Non PowerShell Process
 2id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f
 3related:
 4    - id: 867613fb-fa60-4497-a017-a82df74a172c
 5      type: obsolete
 6    - id: fe6e002f-f244-4278-9263-20e4b593827f
 7      type: obsolete
 8status: test
 9description: |
10    Detects loading of essential DLLs used by PowerShell by non-PowerShell process.
11    Detects behavior similar to meterpreter's "load powershell" extension.    
12references:
13    - https://adsecurity.org/?p=2921
14    - https://github.com/p3nt4/PowerShdll
15author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
16date: 2019-11-14
17modified: 2025-02-24
18tags:
19    - attack.t1059.001
20    - attack.execution
21logsource:
22    category: image_load
23    product: windows
24detection:
25    selection:
26        - Description: 'System.Management.Automation'
27        - OriginalFileName: 'System.Management.Automation.dll'
28        - ImageLoaded|endswith:
29              - '\System.Management.Automation.dll'
30              - '\System.Management.Automation.ni.dll'
31    filter_main_generic:
32        Image|endswith:
33            - ':\Program Files\PowerShell\7\pwsh.exe' # PowerShell 7
34            - ':\Windows\System32\dsac.exe'
35            - ':\WINDOWS\System32\RemoteFXvGPUDisablement.exe'
36            - ':\Windows\System32\runscripthelper.exe'
37            - ':\WINDOWS\System32\sdiagnhost.exe'
38            - ':\Windows\System32\ServerManager.exe'
39            - ':\Windows\System32\SyncAppvPublishingServer.exe'
40            - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
41            - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
42            - ':\Windows\System32\winrshost.exe'
43            - ':\Windows\System32\wsmprovhost.exe'
44            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
45            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
46            - ':\Windows\SysWOW64\winrshost.exe'
47            - ':\Windows\SysWOW64\wsmprovhost.exe'
48    filter_main_dotnet:
49        Image|contains:
50            - ':\Windows\Microsoft.NET\Framework\'
51            - ':\Windows\Microsoft.NET\FrameworkArm\'
52            - ':\Windows\Microsoft.NET\FrameworkArm64\'
53            - ':\Windows\Microsoft.NET\Framework64\'
54        Image|endswith: '\mscorsvw.exe'
55    filter_optional_sql_server_mgmt:
56        Image|contains:
57            - ':\Program Files (x86)\Microsoft SQL Server Management Studio'
58            - ':\Program Files\Microsoft SQL Server Management Studio'
59        Image|endswith: '\IDE\Ssms.exe'
60    filter_optional_sql_server_tools:
61        Image|contains:
62            - ':\Program Files (x86)\Microsoft SQL Server\'
63            - ':\Program Files\Microsoft SQL Server\'
64        Image|endswith: '\Tools\Binn\SQLPS.exe'
65    filter_optional_citrix:
66        Image|endswith: '\Citrix\ConfigSync\ConfigSyncRun.exe'
67    filter_optional_vs:
68        Image|contains:
69            - ':\Program Files (x86)\Microsoft Visual Studio\'
70            - ':\Program Files\Microsoft Visual Studio\'
71    filter_optional_chocolatey:
72        Image|contains: ':\ProgramData\chocolatey\choco.exe'
73    filter_optional_nextron:
74        Image|contains: ':\Windows\Temp\asgard2-agent\'
75        Image|endswith:
76            - '\thor64.exe'
77            - '\thor.exe'
78        # User: 'NT AUTHORITY\SYSTEM'   # if set, matches all powershell processes not launched by SYSTEM
79    filter_optional_aurora:
80        # This filter is to avoid a race condition FP with this specific ETW provider in aurora
81        Image: null
82    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
83falsepositives:
84    - Used by some .NET binaries, minimal on user workstation.
85    - Used by Microsoft SQL Server Management Studio
86level: medium