Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock

calendar Apr 1, 2024 · attack.defense_evasion attack.t1218  ·
Share on: linkedin copy

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.

Sigma rule (View on GitHub)

 1title: Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
 2id: cacef8fc-9d3d-41f7-956d-455c6e881bc5
 3related:
 4    - id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
 5      type: similar
 6    - id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
 7      type: similar
 8    - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
 9      type: similar
10status: test
11description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
12references:
13    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
14    - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
15author: Nasreddine Bencherchali (Nextron Systems)
16date: 2023/05/09
17tags:
18    - attack.defense_evasion
19    - attack.t1218
20logsource:
21    product: windows
22    category: ps_script
23    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
24detection:
25    selection:
26        ScriptBlockText|startswith: 'function Get-VMRemoteFXPhysicalVideoAdapter {'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top