-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detect PowerShell w/o PowerShell Execution via RunDLL32 and various other methods #4197
Comments
Hi, We have 2 rules covering a similar behaviour.
Hope this helps. |
Hi @nasbench thanks for the swift feedback - I apparently overlooked those two rules. |
Still haven't delve deep into them, I appreciate you providing them and will definitely look into it to see if I can improve them in any form. I'll leave this open for now just so I can get back to you once I finish checking everything in them. Thanks once again, really appreciate it the feedback |
Description of the Idea of the Rule
I want to propose a rule enabling the detection of PowerShell without using the well-known
powershell.exe
but rather viarundll32.exe
and various other methods. Projects like PowerShx and its predecessor PowerShdll enable this method of PowerShell Execution. Happy to gather feedback from you!Public References / Example Event Log
The text was updated successfully, but these errors were encountered: