PowerShell Core DLL Loaded By Non PowerShell Process
Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.
Sigma rule (View on GitHub)
1title: PowerShell Core DLL Loaded By Non PowerShell Process
2id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f
3related:
4 - id: 867613fb-fa60-4497-a017-a82df74a172c
5 type: obsolete
6 - id: fe6e002f-f244-4278-9263-20e4b593827f
7 type: obsolete
8status: test
9description: |
10 Detects loading of essential DLLs used by PowerShell by non-PowerShell process.
11 Detects behavior similar to meterpreter's "load powershell" extension.
12references:
13 - https://adsecurity.org/?p=2921
14 - https://github.com/p3nt4/PowerShdll
15author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
16date: 2019-11-14
17modified: 2025-10-07
18tags:
19 - attack.t1059.001
20 - attack.execution
21logsource:
22 category: image_load
23 product: windows
24detection:
25 selection:
26 - Description: 'System.Management.Automation'
27 - OriginalFileName: 'System.Management.Automation.dll'
28 - ImageLoaded|endswith:
29 - '\System.Management.Automation.dll'
30 - '\System.Management.Automation.ni.dll'
31 filter_main_powershell:
32 Image:
33 - 'C:\Program Files\PowerShell\7-preview\pwsh.exe' # PowerShell 7 preview
34 - 'C:\Program Files\PowerShell\7\pwsh.exe' # PowerShell 7
35 - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
36 - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
37 - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
38 - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
39 filter_main_pwsh_preview:
40 Image|contains:
41 - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
42 - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
43 Image|endswith: '\pwsh.exe'
44 filter_main_generic:
45 Image:
46 - 'C:\Windows\System32\dsac.exe'
47 - 'C:\WINDOWS\System32\RemoteFXvGPUDisablement.exe'
48 - 'C:\Windows\System32\runscripthelper.exe'
49 - 'C:\WINDOWS\System32\sdiagnhost.exe'
50 - 'C:\Windows\System32\ServerManager.exe'
51 - 'C:\Windows\System32\SyncAppvPublishingServer.exe'
52 - 'C:\Windows\System32\winrshost.exe'
53 - 'C:\Windows\System32\wsmprovhost.exe'
54 - 'C:\Windows\SysWOW64\winrshost.exe'
55 - 'C:\Windows\SysWOW64\wsmprovhost.exe'
56 filter_main_dotnet:
57 Image|startswith:
58 - 'C:\Windows\Microsoft.NET\Framework\'
59 - 'C:\Windows\Microsoft.NET\FrameworkArm\'
60 - 'C:\Windows\Microsoft.NET\FrameworkArm64\'
61 - 'C:\Windows\Microsoft.NET\Framework64\'
62 Image|endswith: '\mscorsvw.exe'
63 filter_optional_sql_server_mgmt:
64 Image|startswith:
65 - 'C:\Program Files (x86)\Microsoft SQL Server Management Studio'
66 - 'C:\Program Files\Microsoft SQL Server Management Studio'
67 Image|endswith: '\IDE\Ssms.exe'
68 filter_optional_sql_server_tools:
69 Image|startswith:
70 - 'C:\Program Files (x86)\Microsoft SQL Server\'
71 - 'C:\Program Files\Microsoft SQL Server\'
72 Image|endswith: '\Tools\Binn\SQLPS.exe'
73 filter_optional_citrix:
74 Image|endswith: '\Citrix\ConfigSync\ConfigSyncRun.exe'
75 filter_optional_vs:
76 Image|startswith:
77 - 'C:\Program Files (x86)\Microsoft Visual Studio\'
78 - 'C:\Program Files\Microsoft Visual Studio\'
79 filter_optional_chocolatey:
80 Image|startswith: 'C:\ProgramData\chocolatey\choco.exe'
81 filter_optional_nextron:
82 Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
83 Image|endswith:
84 - '\thor64.exe'
85 - '\thor.exe'
86 # User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM
87 filter_optional_aurora:
88 # This filter is to avoid a race condition FP with this specific ETW provider in aurora
89 Image: null
90 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
91falsepositives:
92 - Used by some .NET binaries, minimal on user workstation.
93 - Used by Microsoft SQL Server Management Studio
94level: medium
References
Related rules
- Alternate PowerShell Hosts Pipe
- Change PowerShell Policies to an Insecure Level
- Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
- Raspberry Robin Initial Execution From External Drive
- Raspberry Robin Subsequent Execution of Commands