any powershell script that creates bat files

t1574
t1574.001
windows
sigma

Techniques

t1574
t1574.001

Sample rules

Powerup Write Hijack DLL

source: sigma
technicques:
- t1574
- t1574.001

Description

Powerup tool’s Write Hijack DLL exploits DLL hijacking for privilege escalation. In it’s default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).

Detection logic

condition: selection
selection:
  Image|endswith:
  - \powershell.exe
  - \pwsh.exe
  TargetFilename|endswith: .bat