Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.

Sigma rule (View on GitHub)

 1title: Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
 2id: 38a7625e-b2cb-485d-b83d-aff137d859f4
 3related:
 4    - id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
 5      type: similar
 6    - id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
 7      type: similar
 8    - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock
 9      type: similar
10status: test
11description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
12references:
13    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
14    - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
15author: Nasreddine Bencherchali (Nextron Systems), frack113
16date: 2021-07-13
17modified: 2023-05-09
18tags:
19    - attack.defense-evasion
20    - attack.t1218
21logsource:
22    product: windows
23    category: ps_module
24    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
25detection:
26    selection:
27        Payload|contains: 'ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter {'
28    condition: selection
29falsepositives:
30    - Unknown
31level: high

References

Related rules

to-top