Suspicious AgentExecutor PowerShell Execution
Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
Sigma rule (View on GitHub)
1title: Suspicious AgentExecutor PowerShell Execution
2id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab
3related:
4 - id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61
5 type: similar
6status: test
7description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
8author: Nasreddine Bencherchali (Nextron Systems), memory-shards
9references:
10 - https://twitter.com/lefterispan/status/1286259016436514816
11 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/
12 - https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
13 - https://twitter.com/jseerden/status/1247985304667066373/photo/1
14date: 2022-12-24
15modified: 2024-08-07
16tags:
17 - attack.defense-evasion
18 - attack.t1218
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_img:
24 - Image|endswith: '\AgentExecutor.exe'
25 - OriginalFileName: 'AgentExecutor.exe'
26 selection_cli:
27 # Example:
28 # AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64]
29 # Note:
30 # - If [timeoutSeconds] is NULL then it defaults to 60000
31 # - If [enforceSignatureCheck] is:
32 # - "NULL" or "1" then a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy allsigned -file "
33 # - Else a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy bypass -file "
34 # - [powershellPath] is always concatendated to "powershell.exe"
35 CommandLine|contains:
36 - ' -powershell' # Also covers the "-powershellDetection" flag
37 - ' -remediationScript'
38 filter_main_pwsh:
39 CommandLine|contains:
40 - 'C:\Windows\System32\WindowsPowerShell\v1.0\'
41 - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\'
42 filter_main_intune:
43 ParentImage|endswith: '\Microsoft.Management.Services.IntuneWindowsAgent.exe'
44 condition: all of selection_* and not 1 of filter_main_*
45falsepositives:
46 - Unknown
47level: high
References
-
AgentExecutor.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Create and run PowerShell scripts, assign the script policy to Microsoft Entra groups, and use reports to monitor the scripts. See the steps to delete scripts you add on Windows 10/11 devices in Microsoft Intune. Read common issues and resolutions.
Read More
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE