SigmaHQ/rules/windows/process_creation/win_powershell_dll_execution.yml
2020-10-15 18:21:05 -03:00

32 lines
878 B
YAML

title: Detection of PowerShell Execution via DLL
id: 6812a10b-60ea-420c-832f-dfcc33b646ba
status: experimental
description: Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll
references:
- https://github.com/p3nt4/PowerShdll/blob/master/README.md
tags:
- attack.defense_evasion
- attack.t1085 # an old one
- attack.t1218.011
author: Markus Neis
date: 2018/08/25
modified: 2020/09/01
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endsswith:
- '\rundll32.exe'
selection2:
Description|contains:
- 'Windows-Hostprozess (Rundll32)'
selection3:
CommandLine|contains:
- 'Default.GetString'
- 'FromBase64String'
condition: (selection1 or selection2) and selection3
falsepositives:
- Unknown
level: high