kqlElastic-2.0from elastic/detection-rules

Potential Process Injection via PowerShell

Quality

FP risk

—

Forks

Views

ATT&CK techniques

T1055 T1055.001 T1055.002 T1055.003 T1055.004 T1059 T1059.001 T1106

Rule sourcerules/windows/defense_evasion_posh_process_injection.toml

event.category:process and host.os.type:windows and
  powershell.file.script_block_text : (
   (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or
      LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and
   (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or
      SuspendThread or ResumeThread or GetDelegateForFunctionPointer)
  ) and not 
  file.directory: (
    "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM" or
    "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads"
  )