Assembly Loading Via CL_LoadAssembly.ps1
Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
Sigma rule (View on GitHub)
1title: Assembly Loading Via CL_LoadAssembly.ps1
2id: c57872c7-614f-4d7f-a40d-b78c8df2d30d
3status: test
4description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
5references:
6 - https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
7 - https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/
8author: frack113, Nasreddine Bencherchali (Nextron Systems)
9date: 2022-05-21
10modified: 2023-08-17
11tags:
12 - attack.defense-evasion
13 - attack.t1216
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 # Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via "-Command" or "-ScriptBlock" flags for example.
20 CommandLine|contains:
21 - 'LoadAssemblyFromPath '
22 - 'LoadAssemblyFromNS '
23 condition: selection
24falsepositives:
25 - Unknown
26level: medium
References
-
Introduction Last week, I was hunting around the Windows Operating System for interesting scripts and binaries that may be useful for future penetration tests and Red Team engagements. With increa…
Read More -
CL_LoadAssembly.ps1 is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
- Execute Code with Pester.bat
- Execute Code with Pester.bat as Parent
- Potential Manage-bde.wsf Abuse To Proxy Execution