UtilityFunctions.ps1 Proxy Dll
Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
Sigma rule (View on GitHub)
1title: UtilityFunctions.ps1 Proxy Dll
2id: 0403d67d-6227-4ea8-8145-4e72db7da120
3status: test
4description: Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
5references:
6 - https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/
7author: frack113
8date: 2022-05-28
9tags:
10 - attack.defense-evasion
11 - attack.t1216
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 CommandLine|contains:
18 - 'UtilityFunctions.ps1'
19 - 'RegSnapin '
20 condition: selection
21falsepositives:
22 - Unknown
23level: medium
References
-
UtilityFunctions.ps1 is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
- Assembly Loading Via CL_LoadAssembly.ps1
- Execute Code with Pester.bat
- Execute Code with Pester.bat as Parent