rules/windows/process_creation/win_powershell_dll_execution.yml

title: Detection of PowerShell Execution via DLL
id: 6812a10b-60ea-420c-832f-dfcc33b646ba
status: test
description: Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll
author: Markus Neis
references:
  - https://github.com/p3nt4/PowerShdll/blob/master/README.md
date: 2018/08/25
modified: 2021/11/27
logsource:
  category: process_creation
  product: windows
detection:
  selection1:
    Image|endswith:
      - '\rundll32.exe'
  selection2:
    Description|contains:
      - 'Windows-Hostprozess (Rundll32)'
  selection3:
    CommandLine|contains:
      - 'Default.GetString'
      - 'FromBase64String'
  condition: (selection1 or selection2) and selection3
falsepositives:
  - Unknown
level: high
tags:
  - attack.defense_evasion
  - attack.t1085            # an old one
  - attack.t1218.011
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`title: Detection of PowerShell Execution via DLL`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 6812a10b-60ea-420c-832f-dfcc33b646ba`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
review windows/process_creation part 4 2020-09-02 02:34:34 +02:00			`description: Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`author: Markus Neis`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`references:`
			`- https://github.com/p3nt4/PowerShdll/blob/master/README.md`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`date: 2018/08/25`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`modified: 2021/11/27`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`selection1:`
			`Image\|endswith:`
			`- '\rundll32.exe'`
			`selection2:`
			`Description\|contains:`
			`- 'Windows-Hostprozess (Rundll32)'`
			`selection3:`
			`CommandLine\|contains:`
			`- 'Default.GetString'`
			`- 'FromBase64String'`
			`condition: (selection1 or selection2) and selection3`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`falsepositives:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- Unknown`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`level: high`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`tags:`
			`- attack.defense_evasion`
			`- attack.t1085 # an old one`
			`- attack.t1218.011`