Nasreddine Bencherchali
598d29f811
chore: change tags, date, modified fields to comply with v2 of the Sigma spec. chore: update the related type from `obsoletes` to `obsolete`. chore: update local json schema to the latest version.
31 lines
1.4 KiB
YAML
31 lines
1.4 KiB
YAML
title: Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
|
|
id: cacef8fc-9d3d-41f7-956d-455c6e881bc5
|
|
related:
|
|
- id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
|
|
type: similar
|
|
- id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
|
|
type: similar
|
|
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
|
|
type: similar
|
|
status: test
|
|
description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
|
|
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
|
|
author: Nasreddine Bencherchali (Nextron Systems)
|
|
date: 2023-05-09
|
|
tags:
|
|
- attack.defense-evasion
|
|
- attack.t1218
|
|
logsource:
|
|
product: windows
|
|
category: ps_script
|
|
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
|
|
detection:
|
|
selection:
|
|
ScriptBlockText|startswith: 'function Get-VMRemoteFXPhysicalVideoAdapter {'
|
|
condition: selection
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|