heroui logo

PowerShell Core DLL Loaded By Non PowerShell Process

Sigma Rules

View Source
Summary
This detection rule identifies the loading of the System.Management.Automation DLLs by processes other than PowerShell, which may indicate malicious activity such as the use of the meterpreter 'load powershell' extension. Such behavior is often associated with attempts to leverage PowerShell for executing unauthorized code or scripts in a compromised environment, particularly relevant in penetration tests and red team operations. The rule triggers on non-PowerShell processes that load these DLLs, which is atypical and may signify an attack attempting to mask the execution of malicious commands. The rule utilizes a combination of process selection criteria and filtering conditions to minimize false positives, thus ensuring a balance between detection accuracy and operational impact.
Categories
  • Windows
  • Endpoint
  • Application
Data Sources
  • Image
  • Process
Created: 2019-11-14