title: Detection of PowerShell Execution via DLL
status: experimental
description: Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll
references:
    - https://github.com/p3nt4/PowerShdll/blob/master/README.md
tags:
    - attack.execution
    - attack.t1086
author: Markus Neis
date: 2018/08/25
logsource:
    product: windows
    service: sysmon
detection:
    selection1:
        EventID: 1
        Image:
            - '*\rundll32.exe'
    selection2:
        EventID: 1
        Description:
            - '*Windows-Hostprozess (Rundll32)*'
    selection3:
        EventID: 1
        CommandLine:
            - '*Default.GetString*'
            - '*FromBase64String*'
    condition: (selection1 or selection2) and selection3
falsepositives:
    - Unknown
level: high