PowerShell Core DLL Loaded By Non PowerShell Process

Oct 9, 2025 · attack.t1059.001 attack.execution ·

Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.

Sigma rule (View on GitHub)

 1title: PowerShell Core DLL Loaded By Non PowerShell Process
 2id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f
 3related:
 4    - id: 867613fb-fa60-4497-a017-a82df74a172c
 5      type: obsolete
 6    - id: fe6e002f-f244-4278-9263-20e4b593827f
 7      type: obsolete
 8status: test
 9description: |
10    Detects loading of essential DLLs used by PowerShell by non-PowerShell process.
11    Detects behavior similar to meterpreter's "load powershell" extension.    
12references:
13    - https://adsecurity.org/?p=2921
14    - https://github.com/p3nt4/PowerShdll
15author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
16date: 2019-11-14
17modified: 2025-10-07
18tags:
19    - attack.t1059.001
20    - attack.execution
21logsource:
22    category: image_load
23    product: windows
24detection:
25    selection:
26        - Description: 'System.Management.Automation'
27        - OriginalFileName: 'System.Management.Automation.dll'
28        - ImageLoaded|endswith:
29              - '\System.Management.Automation.dll'
30              - '\System.Management.Automation.ni.dll'
31    filter_main_powershell:
32        Image:
33            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe' # PowerShell 7 preview
34            - 'C:\Program Files\PowerShell\7\pwsh.exe' # PowerShell 7
35            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
36            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
37            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
38            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
39    filter_main_pwsh_preview:
40        Image|contains:
41            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
42            - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
43        Image|endswith: '\pwsh.exe'
44    filter_main_generic:
45        Image:
46            - 'C:\Windows\System32\dsac.exe'
47            - 'C:\WINDOWS\System32\RemoteFXvGPUDisablement.exe'
48            - 'C:\Windows\System32\runscripthelper.exe'
49            - 'C:\WINDOWS\System32\sdiagnhost.exe'
50            - 'C:\Windows\System32\ServerManager.exe'
51            - 'C:\Windows\System32\SyncAppvPublishingServer.exe'
52            - 'C:\Windows\System32\winrshost.exe'
53            - 'C:\Windows\System32\wsmprovhost.exe'
54            - 'C:\Windows\SysWOW64\winrshost.exe'
55            - 'C:\Windows\SysWOW64\wsmprovhost.exe'
56    filter_main_dotnet:
57        Image|startswith:
58            - 'C:\Windows\Microsoft.NET\Framework\'
59            - 'C:\Windows\Microsoft.NET\FrameworkArm\'
60            - 'C:\Windows\Microsoft.NET\FrameworkArm64\'
61            - 'C:\Windows\Microsoft.NET\Framework64\'
62        Image|endswith: '\mscorsvw.exe'
63    filter_optional_sql_server_mgmt:
64        Image|startswith:
65            - 'C:\Program Files (x86)\Microsoft SQL Server Management Studio'
66            - 'C:\Program Files\Microsoft SQL Server Management Studio'
67        Image|endswith: '\IDE\Ssms.exe'
68    filter_optional_sql_server_tools:
69        Image|startswith:
70            - 'C:\Program Files (x86)\Microsoft SQL Server\'
71            - 'C:\Program Files\Microsoft SQL Server\'
72        Image|endswith: '\Tools\Binn\SQLPS.exe'
73    filter_optional_citrix:
74        Image|endswith: '\Citrix\ConfigSync\ConfigSyncRun.exe'
75    filter_optional_vs:
76        Image|startswith:
77            - 'C:\Program Files (x86)\Microsoft Visual Studio\'
78            - 'C:\Program Files\Microsoft Visual Studio\'
79    filter_optional_chocolatey:
80        Image|startswith: 'C:\ProgramData\chocolatey\choco.exe'
81    filter_optional_nextron:
82        Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
83        Image|endswith:
84            - '\thor64.exe'
85            - '\thor.exe'
86        # User: 'NT AUTHORITY\SYSTEM'   # if set, matches all powershell processes not launched by SYSTEM
87    filter_optional_aurora:
88        # This filter is to avoid a race condition FP with this specific ETW provider in aurora
89        Image: null
90    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
91falsepositives:
92    - Used by some .NET binaries, minimal on user workstation.
93    - Used by Microsoft SQL Server Management Studio
94level: medium

References

PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection

This post is a follow-up of sorts from my earlier posts on PowerShell, my PowerShell presentation at BSides Baltimore, and my presentation at DEF CON 24. Hopefully this post provides current information on PowerShell usage for both Blue and Red teams. Related posts: BSides Charm Presentation Posted: PowerShell Security: Defending the Enterprise from the Latest ...

Read More
GitHub - p3nt4/PowerShdll: Run PowerShell with rundll32. Bypass software restrictions.

Run PowerShell with rundll32. Bypass software restrictions. - p3nt4/PowerShdll

Read More

PowerShell Core DLL Loaded By Non PowerShell Process

Sigma rule (View on GitHub)

References

PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection

GitHub - p3nt4/PowerShdll: Run PowerShell with rundll32. Bypass software restrictions.

Related rules