Potential Process Execution Proxy Via CL_Invocation.ps1
Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
Sigma rule (View on GitHub)
1title: Potential Process Execution Proxy Via CL_Invocation.ps1
2id: a0459f02-ac51-4c09-b511-b8c9203fc429
3status: test
4description: Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
5references:
6 - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/
7 - https://twitter.com/bohops/status/948061991012327424
8author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova
9date: 2020-10-14
10modified: 2023-08-17
11tags:
12 - attack.defense-evasion
13 - attack.t1216
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 # Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via "-Command" or "-ScriptBlock" flags for example.
20 CommandLine|contains: 'SyncInvoke '
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
-
CL_Invocation.ps1 is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
- Assembly Loading Via CL_LoadAssembly.ps1
- Execute Code with Pester.bat
- Execute Code with Pester.bat as Parent