Date: 08/12/2024
Severity: Medium
Summary
"AgentExecutor PowerShell Execution" refers to a technique or tool used to execute PowerShell scripts or commands within an environment. This method is often employed in security contexts for both legitimate administrative tasks and malicious activities. In cybersecurity, it can be used by attackers to run unauthorized scripts, automate attacks, or execute commands that can compromise systems or exfiltrate data. Proper security measures include monitoring PowerShell usage, enforcing execution policies, and using security tools to detect and respond to suspicious activities.
Indicators of Compromise (IOC) List
Image | '\AgentExecutor.exe' |
OriginalFileName | 'AgentExecutor.exe' |
CommandLine | ' -powershell' ' -remediationScript' |
ParentImage | '\Microsoft.Management.Services.IntuneWindowsAgent.exe' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | ((((resourcename in ("Sysmon") AND eventtype = "1") AND image = "\AgentExecutor.exe") AND originalfilename = "AgentExecutor.exe") AND commandline in ("-powershell","-remediationScript")) AND parentimage in ("\Microsoft.Management.Services.IntuneWindowsAgent.exe") |
Detection Query 2 | ((((technologygroup = "EDR" ) AND image = "\AgentExecutor.exe") AND originalfilename = "AgentExecutor.exe") AND commandline in ("-powershell","-remediationScript")) AND parentimage in ("\Microsoft.Management.Services.IntuneWindowsAgent.exe") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml