Suspicious AgentExecutor PowerShell Execution

    Monday, August 12, 2024 In: Threat Research Print

    Date: 08/12/2024

    Severity: Medium

    Summary

    "Suspicious AgentExecutor PowerShell Execution" involves the detection of potentially malicious or unauthorized PowerShell commands executed via the AgentExecutor tool. This activity may indicate an attempt to carry out unauthorized operations, such as data exfiltration or system compromise. Monitoring for such suspicious execution helps identify and mitigate potential security threats.

    Indicators of Compromise (IOC) List

    Image

    '\AgentExecutor.exe'

    OriginalFileName

    'AgentExecutor.exe'

    CommandLine

    ' -powershell' 

    ' -remediationScript'

    'C:\Windows\System32\WindowsPowerShell\v1.0\'

    'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\'

    ParentImage

    '\Microsoft.Management.Services.IntuneWindowsAgent.exe'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    ((((resourcename in ("Sysmon") AND eventtype = "1") AND image = "\AgentExecutor.exe") AND originalfilename = "AgentExecutor.exe") AND commandline in ("-powershell" ,"-remediationScript", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0" , "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0"))

    Detection Query 2

    ((((resourcename in ("Sysmon") AND eventtype = "1") AND image = "\AgentExecutor.exe") AND originalfilename = "AgentExecutor.exe") AND commandline in ("-powershell","-remediationScript")) AND ParentImage in ("\Microsoft.Management.Services.IntuneWindowsAgent.exe")

    Detection Query 3

    ((((technologygroup = "EDR" ) AND image = "\AgentExecutor.exe") AND originalfilename = "AgentExecutor.exe") AND commandline in ("-powershell" ,"-remediationScript", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0" , "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0"))

    Detection Query 4

    ((((technologygroup = "EDR" ) AND image = "\AgentExecutor.exe") AND originalfilename = "AgentExecutor.exe") AND commandline in ("-powershell","-remediationScript")) AND ParentImage in ("\Microsoft.Management.Services.IntuneWindowsAgent.exe")

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml


    Tags

    SigmaMalwarePowerShell Attack

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.