Suspicious PowerShell Engine ImageLoadedit

Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*
  • winlogbeat-*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Execution

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule queryedit

library where dll.name : ("System.Management.Automation.ni.dll",
"System.Management.Automation.dll") and /* add false positives
relevant to your environment here */ not process.executable :
("C:\\Windows\\System32\\RemoteFXvGPUDisablement.exe",
"C:\\Windows\\System32\\sdiagnhost.exe", "C:\\Program Files*\\*.exe")
and not process.name : ( "Altaro.SubAgent.exe",
"AppV_Manage.exe", "azureadconnect.exe", "CcmExec.exe",
"configsyncrun.exe", "choco.exe", "ctxappvservice.exe",
"DVLS.Console.exe", "edgetransport.exe", "exsetup.exe",
"forefrontactivedirectoryconnector.exe", "InstallUtil.exe",
"JenkinsOnDesktop.exe",
"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe",
"mmc.exe", "mscorsvw.exe", "msexchangedelivery.exe",
"msexchangefrontendtransport.exe", "msexchangehmworker.exe",
"msexchangesubmission.exe", "msiexec.exe", "MsiExec.exe",
"noderunner.exe", "NServiceBus.Host.exe",
"NServiceBus.Host32.exe",
"NServiceBus.Hosting.Azure.HostProcess.exe", "OuiGui.WPF.exe",
"powershell.exe", "powershell_ise.exe", "pwsh.exe",
"SCCMCliCtrWPF.exe", "ScriptEditor.exe", "ScriptRunner.exe",
"sdiagnhost.exe", "servermanager.exe", "setup100.exe",
"ServiceHub.VSDetouredHost.exe", "SPCAF.Client.exe",
"SPCAF.SettingsEditor.exe", "SQLPS.exe",
"telemetryservice.exe", "UMWorkerProcess.exe", "w3wp.exe",
"wsmprovhost.exe" )

Threat mappingedit

Framework: MITRE ATT&CKTM

Rule version historyedit

Version 3 (7.12.0 release)
  • Updated query, changed from:

    library where file.name : ("System.Management.Automation.ni.dll",
    "System.Management.Automation.dll") and /* add false positives
    relevant to your environment here */ not process.executable :
    ("C:\\Windows\\System32\\RemoteFXvGPUDisablement.exe",
    "C:\\Windows\\System32\\sdiagnhost.exe", "C:\\Program Files*\\*.exe")
    and not process.name : ( "Altaro.SubAgent.exe",
    "AppV_Manage.exe", "azureadconnect.exe", "CcmExec.exe",
    "configsyncrun.exe", "choco.exe", "ctxappvservice.exe",
    "DVLS.Console.exe", "edgetransport.exe", "exsetup.exe",
    "forefrontactivedirectoryconnector.exe", "InstallUtil.exe",
    "JenkinsOnDesktop.exe",
    "Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe",
    "mmc.exe", "mscorsvw.exe", "msexchangedelivery.exe",
    "msexchangefrontendtransport.exe", "msexchangehmworker.exe",
    "msexchangesubmission.exe", "msiexec.exe", "MsiExec.exe",
    "noderunner.exe", "NServiceBus.Host.exe",
    "NServiceBus.Host32.exe",
    "NServiceBus.Hosting.Azure.HostProcess.exe", "OuiGui.WPF.exe",
    "powershell.exe", "powershell_ise.exe", "pwsh.exe",
    "SCCMCliCtrWPF.exe", "ScriptEditor.exe", "ScriptRunner.exe",
    "sdiagnhost.exe", "servermanager.exe", "setup100.exe",
    "ServiceHub.VSDetouredHost.exe", "SPCAF.Client.exe",
    "SPCAF.SettingsEditor.exe", "SQLPS.exe", "telemetryservice.exe",
    "UMWorkerProcess.exe", "w3wp.exe", "wsmprovhost.exe" )
Version 2 (7.11.2 release)
  • Formatting only