Techniques
Sample rules
Windows PowerShell Add Module to Global Assembly Cache
- source: splunk
- technicques:
- T1505.004
Description
The following analytic detects the addition of a DLL to the Windows Global Assembly Cache (GAC) using PowerShell. It leverages PowerShell Script Block Logging to identify commands containing “system.enterpriseservices.internal.publish”. This activity is significant because adding a DLL to the GAC allows it to be shared across multiple applications, potentially enabling an adversary to execute malicious code system-wide. If confirmed malicious, this could lead to widespread code execution, privilege escalation, and persistent access across the operating system, posing a severe security risk.
Detection logic
`powershell` EventCode=4104 ScriptBlockText IN("*system.enterpriseservices.internal.publish*")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_add_module_to_global_assembly_cache_filter`