IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Potential Process Injection via PowerShell
editPotential Process Injection via PowerShell
editDetects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.
Rule type: query
Rule indices:
- winlogbeat-*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
- https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1
- https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1
- https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Defense Evasion
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editevent.category:process and powershell.file.script_block_text : ( (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or SuspendThread or ResumeThread) )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Process Injection
- ID: T1055
- Reference URL: https://attack.mitre.org/techniques/T1055/
-
Sub-technique:
- Name: Dynamic-link Library Injection
- ID: T1055.001
- Reference URL: https://attack.mitre.org/techniques/T1055/001/
-
Sub-technique:
- Name: Portable Executable Injection
- ID: T1055.002
- Reference URL: https://attack.mitre.org/techniques/T1055/002/