AgentExecutor PowerShell Execution

Rule Info

Name
AgentExecutor PowerShell Execution
Author
Nasreddine Bencherchali (Nextron Systems), memory-shards
Description
Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
Reference
https://twitter.com/lefterispan/status/1286259016436514816
Date
2022-12-24 00:00:00
Modified
2024-08-07 00:00:00
Id
7efd2c8d-8b18-45b7-947d-adfe9ed04f61
Tags
attack.defense-evasion attack.t1218
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=7efd2c8d-8b18-45b7-947d-adfe9ed04f61

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Josh
Merge PR #4955 from @joshnck - Fix `agentexecutor.exe` related rules
2024-08-07
8254c4f36
Ryan Plas
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02
1d40f1d20
github-actions[bot]
Merge PR #4533 from @nasbench - Promote `experimental` rules
2023-11-02
a6e7cce60
Nasreddine Bencherchali
feat: aspnet compile + agentexecutor rename
2023-08-14
967f31b24
Wagga
fix: typos in multiple rules (#4011)
2023-02-06
273fdb998
Nasreddine Bencherchali
chore: add nextron authors tag
2023-02-01
7c38a5c49
Nasreddine Bencherchali
fix: enhance logic of `AgentExecutor` rules
2022-12-24
e7d6bf7ca
frack113
Update proc_creation_win_lolbin_agentexecutor.yml
2022-12-23
5fdad241e
memory-shards
Update proc_creation_win_lolbin_agentexecutor.yml
2022-07-31
16fe47a8f
memory-shards
Update proc_creation_win_lolbin_agentexecutor.yml
2022-07-31
564675658
memory-shards
Create proc_creation_win_lolbin_agentexecutor.yml
2022-07-31
562d29c43
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022