security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
063bb57dfdabbefb7c84166b7a35dfdabd2b8c90
blue-team-tools/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml
T
Nasreddine Bencherchali e43371ffcf fix: small typos
2023-01-04 17:51:34 +01:00

31 lines
1.2 KiB
YAML
Raw Blame History

title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module
id: 38a7625e-b2cb-485d-b83d-aff137d859f4
status: experimental
description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: frack113
date: 2021/07/13
modified: 2023/01/04
tags:
- attack.defense_evasion
- attack.t1218
logsource:
product: windows
category: ps_module
definition: 'Requirements: PowerShell Module Logging must be enabled'
detection:
selection_cmd:
ContextInfo|contains: 'Invoke-ATHRemoteFXvGPUDisablementCommand '
selection_opt:
ContextInfo|contains:
- '-ModuleName '
- '-ModulePath '
- '-ScriptBlock '
- '-RemoteFXvGPUDisablementFilePath'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink