Powershell Install a DLL in System Directory
Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
Sigma rule (View on GitHub)
1title: Powershell Install a DLL in System Directory
2id: 63bf8794-9917-45bc-88dd-e1b5abc0ecfd
3status: test
4description: Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll
7author: frack113, Nasreddine Bencherchali (Nextron Systems)
8date: 2021-12-27
9modified: 2024-01-22
10tags:
11 - attack.credential-access
12 - attack.t1556.002
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection:
19 ScriptBlockText|re: '(Copy-Item|cpi) .{2,128} -Destination .{1,32}\\Windows\\(System32|SysWOW64)'
20 condition: selection
21falsepositives:
22 - Unknown
23level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Dropping Of Password Filter DLL
- Potential Suspicious Activity Using SeCEdit
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- ADCS Certificate Template Configuration Vulnerability