RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses

calendar May 15, 2023 · attack.defense_evasion attack.t1218  ·
Share on: linkedin copy

Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.

Sigma rule (View on GitHub)

 1title: RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
 2id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
 3related:
 4    - id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
 5      type: similar
 6    - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
 7      type: similar
 8    - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock
 9      type: similar
10status: test
11description: Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
12references:
13    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
14    - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
15author: frack113
16date: 2021/07/13
17modified: 2023/05/09
18tags:
19    - attack.defense_evasion
20    - attack.t1218
21logsource:
22    product: windows
23    category: process_creation
24detection:
25    selection:
26        CommandLine|contains:
27            - 'Invoke-ATHRemoteFXvGPUDisablementCommand'
28            - 'Invoke-ATHRemoteFXvGPUDisableme'
29    condition: selection
30falsepositives:
31    - Unknown
32level: high

References

Related rules

to-top