Potential RemoteFXvGPUDisablement.EXE Abuse

calendar May 15, 2023 · attack.defense_evasion attack.t1218  ·
Share on: linkedin copy

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.

Sigma rule (View on GitHub)

 1title: Potential RemoteFXvGPUDisablement.EXE Abuse
 2id: f65e22f9-819e-4f96-9c7b-498364ae7a25
 3related:
 4    - id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
 5      type: similar
 6    - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
 7      type: similar
 8    - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock
 9      type: similar
10status: test
11description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of  the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
12references:
13    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
14    - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
15author: frack113, Nasreddine Bencherchali (Nextron Systems)
16date: 2021/07/13
17modified: 2023/05/09
18tags:
19    - attack.defense_evasion
20    - attack.t1218
21logsource:
22    product: windows
23    service: powershell-classic
24    definition: fields have to be extract from event
25detection:
26    selection:
27        Data|contains: 'ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter {'
28    condition: selection
29falsepositives:
30    - Unknown
31level: high

References

Related rules

to-top