detection.wiki

Detection rules › Sigma

PowerShell Core DLL Loaded By Non PowerShell Process

Severity
medium
Author
Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
Source
upstream

Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059.001 Command and Scripting Interpreter: PowerShell

Event coverage

ProviderEvent IDTitle
Sysmon7Image loaded

Stages and Predicates

Stage 1: selection

or:
Description: System.Management.Automation
ImageLoaded|endswith: '\System.Management.Automation.dll'
ImageLoaded|endswith: '\System.Management.Automation.ni.dll'
OriginalFileName: System.Management.Automation.dll

Stage 2: not 1 of filter_main_*

or:
or:
Image|contains: 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
Image|contains: '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
Image|endswith: '\pwsh.exe'
or:
Image|startswith: 'C:\Windows\Microsoft.NET\Framework64\'
Image|startswith: 'C:\Windows\Microsoft.NET\FrameworkArm64\'
Image|startswith: 'C:\Windows\Microsoft.NET\FrameworkArm\'
Image|startswith: 'C:\Windows\Microsoft.NET\Framework\'
Image|endswith: '\mscorsvw.exe'
Image: 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
Image: 'C:\Program Files\PowerShell\7\pwsh.exe'
Image: 'C:\WINDOWS\System32\RemoteFXvGPUDisablement.exe'
Image: 'C:\WINDOWS\System32\sdiagnhost.exe'
Image: 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
Image: 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
Image: 'C:\Windows\SysWOW64\winrshost.exe'
Image: 'C:\Windows\SysWOW64\wsmprovhost.exe'
Image: 'C:\Windows\System32\ServerManager.exe'
Image: 'C:\Windows\System32\SyncAppvPublishingServer.exe'
Image: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
Image: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
Image: 'C:\Windows\System32\dsac.exe'
Image: 'C:\Windows\System32\runscripthelper.exe'
Image: 'C:\Windows\System32\winrshost.exe'
Image: 'C:\Windows\System32\wsmprovhost.exe'

Stage 3: not 1 of filter_optional_*

or:
or:
Image|endswith: '\thor.exe'
Image|endswith: '\thor64.exe'
Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
or:
Image|startswith: 'C:\Program Files (x86)\Microsoft SQL Server Management Studio'
Image|startswith: 'C:\Program Files\Microsoft SQL Server Management Studio'
Image|endswith: '\IDE\Ssms.exe'
or:
Image|startswith: 'C:\Program Files (x86)\Microsoft SQL Server\'
Image|startswith: 'C:\Program Files\Microsoft SQL Server\'
Image|endswith: '\Tools\Binn\SQLPS.exe'
Image|endswith: '\Citrix\ConfigSync\ConfigSyncRun.exe'
Image: null
Image|startswith: 'C:\Program Files (x86)\Microsoft Visual Studio\'
Image|startswith: 'C:\Program Files\Microsoft Visual Studio\'
Image|startswith: 'C:\ProgramData\chocolatey\choco.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Descriptioneq
  • System.Management.Automation
Imageends_with
  • \Citrix\ConfigSync\ConfigSyncRun.exe
  • \IDE\Ssms.exe
  • \Tools\Binn\SQLPS.exe corpus 2 (sigma 2)
  • \mscorsvw.exe corpus 2 (sigma 2)
  • \pwsh.exe corpus 140 (sigma 140)
  • \thor.exe corpus 7 (sigma 7)
  • \thor64.exe corpus 6 (sigma 6)
Imageeq
  • C:\Program Files\PowerShell\7-preview\pwsh.exe corpus 3 (sigma 3)
  • C:\Program Files\PowerShell\7\pwsh.exe corpus 4 (sigma 4)
  • C:\WINDOWS\System32\RemoteFXvGPUDisablement.exe
  • C:\WINDOWS\System32\sdiagnhost.exe
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe corpus 3 (sigma 3)
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe corpus 2 (sigma 2)
  • C:\Windows\SysWOW64\winrshost.exe
  • C:\Windows\SysWOW64\wsmprovhost.exe
  • C:\Windows\System32\ServerManager.exe corpus 3 (sigma 3)
  • C:\Windows\System32\SyncAppvPublishingServer.exe
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe corpus 4 (sigma 4)
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe corpus 3 (sigma 3)
  • C:\Windows\System32\dsac.exe corpus 2 (sigma 2)
  • C:\Windows\System32\runscripthelper.exe
  • C:\Windows\System32\winrshost.exe
  • C:\Windows\System32\wsmprovhost.exe corpus 2 (sigma 2)
Imagematch
  • C:\Program Files\WindowsApps\Microsoft.PowerShellPreview corpus 4 (sigma 4)
  • \AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview corpus 4 (sigma 4)
Imagestarts_with
  • C:\Program Files (x86)\Microsoft SQL Server Management Studio
  • C:\Program Files (x86)\Microsoft SQL Server\
  • C:\Program Files (x86)\Microsoft Visual Studio\ corpus 2 (sigma 2)
  • C:\Program Files\Microsoft SQL Server Management Studio
  • C:\Program Files\Microsoft SQL Server\
  • C:\Program Files\Microsoft Visual Studio\ corpus 2 (sigma 2)
  • C:\ProgramData\chocolatey\choco.exe
  • C:\Windows\Microsoft.NET\Framework64\
  • C:\Windows\Microsoft.NET\FrameworkArm64\
  • C:\Windows\Microsoft.NET\FrameworkArm\
  • C:\Windows\Microsoft.NET\Framework\
  • C:\Windows\Temp\asgard2-agent\ corpus 3 (sigma 3)
ImageLoadedends_with
  • \System.Management.Automation.dll
  • \System.Management.Automation.ni.dll
OriginalFileNameeq
  • System.Management.Automation.dll