AgentExecutor PowerShell Execution

Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument

Sigma rule (View on GitHub)

 1title: AgentExecutor PowerShell Execution
 2id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61
 3related:
 4    - id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab
 5      type: similar
 6status: test
 7description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
 8author: Nasreddine Bencherchali (Nextron Systems), memory-shards
 9references:
10    - https://twitter.com/lefterispan/status/1286259016436514816
11    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/
12    - https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
13    - https://twitter.com/jseerden/status/1247985304667066373/photo/1
14date: 2022-12-24
15modified: 2024-08-07
16tags:
17    - attack.defense-evasion
18    - attack.t1218
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image: '\AgentExecutor.exe'
25        - OriginalFileName: 'AgentExecutor.exe'
26    selection_cli:
27        # Example:
28        #   AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64]
29        # Note:
30        #   - If [timeoutSeconds] is NULL then it defaults to 60000
31        #   - If [enforceSignatureCheck] is:
32        #       - "NULL" or "1" then a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy allsigned -file "
33        #       - Else a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy bypass -file "
34        #   - [powershellPath] is always concatendated to "powershell.exe"
35        CommandLine|contains:
36            - ' -powershell' # Also covers the "-powershellDetection" flag
37            - ' -remediationScript'
38    filter_main_intune:
39        ParentImage|endswith: '\Microsoft.Management.Services.IntuneWindowsAgent.exe'
40    condition: all of selection_* and not 1 of filter_main_*
41falsepositives:
42    - Legitimate use via Intune management. You exclude script paths and names to reduce FP rate
43level: medium

References

Related rules

to-top