Suspicious AgentExecutor PowerShell Execution

calendar Nov 2, 2023 · attack.defense_evasion attack.t1218  ·
Share on: linkedin copy

Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument

Sigma rule (View on GitHub)

 1title: Suspicious AgentExecutor PowerShell Execution
 2id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab
 3related:
 4    - id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61
 5      type: similar
 6status: test
 7description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
 8author: Nasreddine Bencherchali (Nextron Systems), memory-shards
 9references:
10    - https://twitter.com/lefterispan/status/1286259016436514816
11    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/
12    - https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension
13    - https://twitter.com/jseerden/status/1247985304667066373/photo/1
14date: 2022/12/24
15tags:
16    - attack.defense_evasion
17    - attack.t1218
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith: '\AgentExecutor.exe'
24        - OriginalFileName: 'AgentExecutor.exe'
25    selection_cli:
26        # Example:
27        #   AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64]
28        # Note:
29        #   - If [timeoutSeconds] is NULL then it defaults to 60000
30        #   - If [enforceSignatureCheck] is:
31        #       - "NULL" or "1" then a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy allsigned -file "
32        #       - Else a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy bypass -file "
33        #   - [powershellPath] is always concatendated to "powershell.exe"
34        CommandLine|contains:
35            - ' -powershell' # Also covers the "-powershellDetection" flag
36            - ' -remediationScript'
37    filter_main_pwsh:
38        CommandLine|contains:
39            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\'
40            - 'C:\Windows\System32\WindowsPowerShell\v1.0\'
41    condition: all of selection_* and not 1 of filter_main_*
42falsepositives:
43    - Unknown
44level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • Agentexecutor | LOLBAS

    If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1...


    Read More

  • Add PowerShell scripts to Windows 10/11 devices in Microsoft Intune

    Create and run PowerShell scripts, assign the script policy to Microsoft Entra groups, and use reports to monitor the scripts. See the steps to delete scripts you add on Windows 10/11 devices in Microsoft Intune. Read common issues and resolutions.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top