LoFP / false positives may be present based on developers or third party utilities adding items to the gac.

Techniques

• T1505
• T1505.004

Sample rules

Windows PowerShell Add Module to Global Assembly Cache

• source: splunk
• technicques:
  • T1505
  • T1505.004

Description

The following analytic detects the addition of a DLL to the Windows Global Assembly Cache (GAC) using PowerShell. It leverages PowerShell Script Block Logging to identify commands containing “system.enterpriseservices.internal.publish”. This activity is significant because adding a DLL to the GAC allows it to be shared across multiple applications, potentially enabling an adversary to execute malicious code system-wide. If confirmed malicious, this could lead to widespread code execution, privilege escalation, and persistent access across the operating system, posing a severe security risk.

Detection logic

`powershell` EventCode=4104 ScriptBlockText IN("*system.enterpriseservices.internal.publish*") 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_powershell_add_module_to_global_assembly_cache_filter`