AgentExecutor PowerShell Execution
Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
Sigma rule (View on GitHub)
1title: AgentExecutor PowerShell Execution
2id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61
3related:
4 - id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab
5 type: similar
6status: test
7description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
8author: Nasreddine Bencherchali (Nextron Systems), memory-shards
9references:
10 - https://twitter.com/lefterispan/status/1286259016436514816
11 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/
12 - https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
13 - https://twitter.com/jseerden/status/1247985304667066373/photo/1
14date: 2022-12-24
15modified: 2024-08-07
16tags:
17 - attack.defense-evasion
18 - attack.t1218
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_img:
24 - Image: '\AgentExecutor.exe'
25 - OriginalFileName: 'AgentExecutor.exe'
26 selection_cli:
27 # Example:
28 # AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64]
29 # Note:
30 # - If [timeoutSeconds] is NULL then it defaults to 60000
31 # - If [enforceSignatureCheck] is:
32 # - "NULL" or "1" then a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy allsigned -file "
33 # - Else a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy bypass -file "
34 # - [powershellPath] is always concatendated to "powershell.exe"
35 CommandLine|contains:
36 - ' -powershell' # Also covers the "-powershellDetection" flag
37 - ' -remediationScript'
38 filter_main_intune:
39 ParentImage|endswith: '\Microsoft.Management.Services.IntuneWindowsAgent.exe'
40 condition: all of selection_* and not 1 of filter_main_*
41falsepositives:
42 - Legitimate use via Intune management. You exclude script paths and names to reduce FP rate
43level: medium
References
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via MSPUB.EXE