PowerShell Core DLL Loaded By Non PowerShell Process
Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.
Sigma rule (View on GitHub)
1title: PowerShell Core DLL Loaded By Non PowerShell Process
2id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f
3related:
4 - id: 867613fb-fa60-4497-a017-a82df74a172c
5 type: obsolete
6 - id: fe6e002f-f244-4278-9263-20e4b593827f
7 type: obsolete
8status: experimental
9description: |
10 Detects loading of essential DLLs used by PowerShell by non-PowerShell process.
11 Detects behavior similar to meterpreter's "load powershell" extension.
12references:
13 - https://adsecurity.org/?p=2921
14 - https://github.com/p3nt4/PowerShdll
15author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
16date: 2019-11-14
17modified: 2024-01-17
18tags:
19 - attack.t1059.001
20 - attack.execution
21logsource:
22 category: image_load
23 product: windows
24detection:
25 selection:
26 - Description: 'System.Management.Automation'
27 - OriginalFileName: 'System.Management.Automation.dll'
28 - ImageLoaded|endswith:
29 - '\System.Management.Automation.dll'
30 - '\System.Management.Automation.ni.dll'
31 filter_main_generic:
32 Image|endswith:
33 - ':\Program Files\PowerShell\7\pwsh.exe' # PowerShell 7
34 - ':\Windows\System32\dsac.exe'
35 - ':\WINDOWS\System32\RemoteFXvGPUDisablement.exe'
36 - ':\Windows\System32\runscripthelper.exe'
37 - ':\WINDOWS\System32\sdiagnhost.exe'
38 - ':\Windows\System32\ServerManager.exe'
39 - ':\Windows\System32\SyncAppvPublishingServer.exe'
40 - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
41 - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
42 - ':\Windows\System32\winrshost.exe'
43 - ':\Windows\System32\wsmprovhost.exe'
44 - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
45 - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
46 - ':\Windows\SysWOW64\winrshost.exe'
47 - ':\Windows\SysWOW64\wsmprovhost.exe'
48 filter_main_dotnet:
49 Image|contains:
50 - ':\Windows\Microsoft.NET\Framework\'
51 - ':\Windows\Microsoft.NET\Framework64\'
52 Image|endswith: '\mscorsvw.exe'
53 filter_optional_sql_server_mgmt:
54 Image|contains:
55 - ':\Program Files (x86)\Microsoft SQL Server Management Studio'
56 - ':\Program Files\Microsoft SQL Server Management Studio'
57 Image|endswith: '\IDE\Ssms.exe'
58 filter_optional_sql_server_tools:
59 Image|contains:
60 - ':\Program Files (x86)\Microsoft SQL Server\'
61 - ':\Program Files\Microsoft SQL Server\'
62 Image|endswith: '\Tools\Binn\SQLPS.exe'
63 filter_optional_citrix:
64 Image|endswith: '\Citrix\ConfigSync\ConfigSyncRun.exe'
65 filter_optional_vs:
66 Image|contains:
67 - ':\Program Files (x86)\Microsoft Visual Studio\'
68 - ':\Program Files\Microsoft Visual Studio\'
69 filter_optional_chocolatey:
70 Image|contains: ':\ProgramData\chocolatey\choco.exe'
71 filter_optional_nextron:
72 Image|contains: ':\Windows\Temp\asgard2-agent\'
73 Image|endswith:
74 - '\thor64.exe'
75 - '\thor.exe'
76 # User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM
77 filter_optional_aurora:
78 # This filter is to avoid a race condition FP with this specific ETW provider in aurora
79 Image: null
80 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
81falsepositives:
82 - Used by some .NET binaries, minimal on user workstation.
83 - Used by Microsoft SQL Server Management Studio
84level: medium
References
-
This post is a follow-up of sorts from my earlier posts on PowerShell, my PowerShell presentation at BSides Baltimore, and my presentation at DEF CON 24. Hopefully this post provides current inform...
Read More -
Related rules
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- Bad Opsec Powershell Code Artifacts
- BloodHound Collection Files
- Certificate Exported Via PowerShell