Techniques
Sample rules
Windows PowerShell Add Module to Global Assembly Cache
- source: splunk
- technicques:
- T1505
- T1505.004
Description
The following PowerShell Script Block analytic identifies the native ability to add a DLL to the Windows Global Assembly Cache. Each computer where the Common Language Runtime is installed has a machine-wide code cache called the Global Assembly Cache. The Global Assembly Cache stores assemblies specifically designated to be shared by several applications on the computer. By adding a DLL to the GAC, this allows an adversary to call it via any other means across the operating systems. This is native and built into Windows. Per the Microsoft blog, the more high fidelity method may be to look for W3WP.exe spawning PowerShell that includes the same CommandLine as identified in this analytic.
Detection logic
`powershell` EventCode=4104 ScriptBlockText IN("*system.enterpriseservices.internal.publish*")
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_add_module_to_global_assembly_cache_filter`