used by some .net binaries, minimal on user workstation.

Techniques

Sample rules

PowerShell Core DLL Loaded By Non PowerShell Process

source: sigma
technicques:
- t1059
- t1059.001

Description

Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter’s “load powershell” extension.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_dotnet:
  Image|contains:
  - :\Windows\Microsoft.NET\Framework\
  - :\Windows\Microsoft.NET\Framework64\
  Image|endswith: \mscorsvw.exe
filter_main_generic:
  Image|endswith:
  - :\Program Files\PowerShell\7\pwsh.exe
  - :\Windows\System32\dsac.exe
  - :\WINDOWS\System32\RemoteFXvGPUDisablement.exe
  - :\Windows\System32\runscripthelper.exe
  - :\WINDOWS\System32\sdiagnhost.exe
  - :\Windows\System32\ServerManager.exe
  - :\Windows\System32\SyncAppvPublishingServer.exe
  - :\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
  - :\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  - :\Windows\System32\winrshost.exe
  - :\Windows\System32\wsmprovhost.exe
  - :\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
  - :\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  - :\Windows\SysWOW64\winrshost.exe
  - :\Windows\SysWOW64\wsmprovhost.exe
filter_optional_aurora:
  Image: null
filter_optional_chocolatey:
  Image|contains: :\ProgramData\chocolatey\choco.exe
filter_optional_citrix:
  Image|endswith: \Citrix\ConfigSync\ConfigSyncRun.exe
filter_optional_nextron:
  Image|contains: :\Windows\Temp\asgard2-agent\
  Image|endswith:
  - \thor64.exe
  - \thor.exe
filter_optional_sql_server_mgmt:
  Image|contains:
  - :\Program Files (x86)\Microsoft SQL Server Management Studio
  - :\Program Files\Microsoft SQL Server Management Studio
  Image|endswith: \IDE\Ssms.exe
filter_optional_sql_server_tools:
  Image|contains:
  - :\Program Files (x86)\Microsoft SQL Server\
  - :\Program Files\Microsoft SQL Server\
  Image|endswith: \Tools\Binn\SQLPS.exe
filter_optional_vs:
  Image|contains:
  - :\Program Files (x86)\Microsoft Visual Studio\
  - :\Program Files\Microsoft Visual Studio\
selection:
- Description: System.Management.Automation
- OriginalFileName: System.Management.Automation.dll
- ImageLoaded|endswith:
  - \System.Management.Automation.dll
  - \System.Management.Automation.ni.dll