Potential PowerShell Execution Via DLL
Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. This detection assumes that PowerShell commands are passed via the CommandLine.
Sigma rule (View on GitHub)
1title: Potential PowerShell Execution Via DLL
2id: 6812a10b-60ea-420c-832f-dfcc33b646ba
3status: test
4description: |
5 Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll.
6 This detection assumes that PowerShell commands are passed via the CommandLine.
7references:
8 - https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md
9author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
10date: 2018/08/25
11modified: 2024/03/07
12tags:
13 - attack.defense_evasion
14 - attack.t1218.011
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith:
21 - '\InstallUtil.exe'
22 - '\RegAsm.exe'
23 - '\RegSvcs.exe'
24 - '\regsvr32.exe'
25 - '\rundll32.exe'
26 - OriginalFileName:
27 - 'InstallUtil.exe'
28 - 'RegAsm.exe'
29 - 'RegSvcs.exe'
30 - 'REGSVR32.EXE'
31 - 'RUNDLL32.EXE'
32 selection_cli:
33 CommandLine|contains:
34 - 'Default.GetString'
35 - 'DownloadString'
36 - 'FromBase64String'
37 - 'ICM '
38 - 'IEX '
39 - 'Invoke-Command'
40 - 'Invoke-Expression'
41 condition: all of selection_*
42falsepositives:
43 - Unknown
44level: high
References
Related rules
- Unsigned DLL Loaded by Windows Utility
- Potential Raspberry Robin CPL Execution Activity
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT29 2018 Phishing Campaign File Indicators
- Suspicious Rundll32 Execution With Image Extension