HackTool - DInjector PowerShell Cradle Execution

    Monday, September 16, 2024 In: Threat Research Print

    Date: 09/16/2024

    Severity: Critical

    Summary

    Identifies the use of the Dinject PowerShell cradle by examining specific flags.

    Indicators of Compromise (IOC) List

    CommandLine

    ' /am51'

    ' /password'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (resourcename = "Windows Security"  AND eventtype = "4688"  ) AND newprocessname IN ("//am51","//password")

    Detection Query 2

    (resourcename = "Sysmon"  AND eventtype = "1"  ) AND commandline IN ("//am51","//password")

    Detection Query 3

    technologygroup = "EDR"  AND commandline IN ("//am51","//password")

    Detection Query 4

    technologygroup = "EDR" AND newprocessname IN ("//am51","//password")

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml 


    Tags

    SigmaMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.