Suspicious AgentExecutor PowerShell Execution

Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument

Sigma rule (View on GitHub)

 1title: Suspicious AgentExecutor PowerShell Execution
 2id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab
 3related:
 4    - id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61
 5      type: similar
 6status: test
 7description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
 8author: Nasreddine Bencherchali (Nextron Systems), memory-shards
 9references:
10    - https://twitter.com/lefterispan/status/1286259016436514816
11    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/
12    - https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
13    - https://twitter.com/jseerden/status/1247985304667066373/photo/1
14date: 2022/12/24
15tags:
16    - attack.defense_evasion
17    - attack.t1218
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith: '\AgentExecutor.exe'
24        - OriginalFileName: 'AgentExecutor.exe'
25    selection_cli:
26        # Example:
27        #   AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64]
28        # Note:
29        #   - If [timeoutSeconds] is NULL then it defaults to 60000
30        #   - If [enforceSignatureCheck] is:
31        #       - "NULL" or "1" then a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy allsigned -file "
32        #       - Else a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy bypass -file "
33        #   - [powershellPath] is always concatendated to "powershell.exe"
34        CommandLine|contains:
35            - ' -powershell' # Also covers the "-powershellDetection" flag
36            - ' -remediationScript'
37    filter_main_pwsh:
38        CommandLine|contains:
39            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\'
40            - 'C:\Windows\System32\WindowsPowerShell\v1.0\'
41    condition: all of selection_* and not 1 of filter_main_*
42falsepositives:
43    - Unknown
44level: high

References

Related rules

to-top