HackTool - DInjector PowerShell Cradle Execution
Detects the use of the Dinject PowerShell cradle based on the specific flags
Sigma rule (View on GitHub)
1title: HackTool - DInjector PowerShell Cradle Execution
2id: d78b5d61-187d-44b6-bf02-93486a80de5a
3status: test
4description: Detects the use of the Dinject PowerShell cradle based on the specific flags
5references:
6 - https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector # Original got deleted. This is a fork
7author: Florian Roth (Nextron Systems)
8date: 2021-12-07
9modified: 2023-02-04
10tags:
11 - attack.defense-evasion
12 - attack.t1055
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|contains|all:
19 - ' /am51'
20 - ' /password'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: critical
References
-
Collection of techniques for shellcode injection packed in a D/Invoke weaponized DLL - GitHub - snovvcrash/DInjector: Collection of techniques for shellcode injection packed in a D/Invoke weaponize...
Read More
Related rules
- HackTool - CoercedPotato Named Pipe Creation
- Injected Browser Process Spawning Rundll32 - GuLoader Activity
- Potential DLL Sideloading Using Coregen.exe
- Suspicious Child Process Of Wermgr.EXE
- APT PRIVATELOG Image Load Pattern