Techniques
Sample rules
HackTool - Powerup Write Hijack DLL
- source: sigma
- technicques:
- t1574
- t1574.001
Description
Powerup tool’s Write Hijack DLL exploits DLL hijacking for privilege escalation. In it’s default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).
Detection logic
condition: selection
selection:
Image|endswith:
- \powershell.exe
- \pwsh.exe
TargetFilename|endswith: .bat