Assembly Loading Via CL_LoadAssembly.ps1
Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
Sigma rule (View on GitHub)
1title: Assembly Loading Via CL_LoadAssembly.ps1
2id: c57872c7-614f-4d7f-a40d-b78c8df2d30d
3status: experimental
4description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
5references:
6 - https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
7 - https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/
8author: frack113, Nasreddine Bencherchali (Nextron Systems)
9date: 2022/05/21
10modified: 2023/08/17
11tags:
12 - attack.defense_evasion
13 - attack.t1216
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 # Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via "-Command" or "-ScriptBlock" flags for example.
20 CommandLine|contains:
21 - 'LoadAssemblyFromPath '
22 - 'LoadAssemblyFromNS '
23 condition: selection
24falsepositives:
25 - Unknown
26level: medium
References
-
Introduction Last week, I was hunting around the Windows Operating System for interesting scripts and binaries that may be useful for future penetration tests and Red Team engagements. With increa…
Read More -
Related rules
- Potential Process Execution Proxy Via CL_Invocation.ps1
- Execute Code with Pester.bat as Parent
- Suspicious CustomShellHost Execution
- Suspicious Sigverif Execution
- SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code