Suspicious Process Loading PowerShell Engine

Rule Info

Name
Suspicious Process Loading PowerShell Engine
Author
X__Junior
Description
Detects suspicious processes loading the PowerShell engine, which may indicate the execution of PowerShell commands outside of powershell.exe. Adversaries often abuse this technique for stealthy execution of malicious scripts, defense evasion. Common benign applications rarely load this DLL, making it a useful indicator of suspicious activity.
Reference
https://www.elastic.co/security-labs/finaldraft
Date
2025-02-27 00:00:00
Modified
None
Id
9e8676a0-20d9-4c8a-bc99-d3d77436c218
Tags
attack.defense-evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022