Techniques
Sample rules
AgentExecutor PowerShell Execution
- source: sigma
- technicques:
- t1218
Description
Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy “Bypass” or any binary named “powershell.exe” located in the path provided by 6th positional argument
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_intune:
ParentImage|endswith: \Microsoft.Management.Services.IntuneWindowsAgent.exe
selection_cli:
CommandLine|contains:
- ' -powershell'
- ' -remediationScript'
selection_img:
- Image: \AgentExecutor.exe
- OriginalFileName: AgentExecutor.exe