HackTool - DInjector PowerShell Cradle Execution
Detects the use of the Dinject PowerShell cradle based on the specific flags
Sigma rule (View on GitHub)
1title: HackTool - DInjector PowerShell Cradle Execution
2id: d78b5d61-187d-44b6-bf02-93486a80de5a
3status: test
4description: Detects the use of the Dinject PowerShell cradle based on the specific flags
5references:
6 - https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector # Original got deleted. This is a fork
7author: Florian Roth (Nextron Systems)
8date: 2021-12-07
9modified: 2023-02-04
10tags:
11 - attack.privilege-escalation
12 - attack.defense-evasion
13 - attack.t1055
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 CommandLine|contains|all:
20 - ' /am51'
21 - ' /password'
22 condition: selection
23falsepositives:
24 - Unlikely
25level: critical
References
-
Collection of techniques for shellcode injection packed in a D/Invoke weaponized DLL - GitHub - snovvcrash/DInjector: Collection of techniques for shellcode injection packed in a D/Invoke weaponize...
Read More
Related rules
- Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
- Created Files by Microsoft Sync Center
- Dllhost.EXE Execution Anomaly
- DotNet CLR DLL Loaded By Scripting Applications
- Injected Browser Process Spawning Rundll32 - GuLoader Activity