Assembly Loading Via CL_LoadAssembly.ps1

Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.

Sigma rule (View on GitHub)

 1title: Assembly Loading Via CL_LoadAssembly.ps1
 2id: c57872c7-614f-4d7f-a40d-b78c8df2d30d
 3status: test
 4description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
 5references:
 6    - https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
 7    - https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/
 8author: frack113, Nasreddine Bencherchali (Nextron Systems)
 9date: 2022/05/21
10modified: 2023/08/17
11tags:
12    - attack.defense_evasion
13    - attack.t1216
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        # Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via "-Command" or "-ScriptBlock" flags for example.
20        CommandLine|contains:
21            - 'LoadAssemblyFromPath '
22            - 'LoadAssemblyFromNS '
23    condition: selection
24falsepositives:
25    - Unknown
26level: medium

References

Related rules

to-top