← Library
sigmaDRL-1.1from SigmaHQ/sigma

Amsi.DLL Loaded Via LOLBIN Process

Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack

Quality
86
FP risk
Forks
0
Views
0
Rule sourcerules/windows/image_load/image_load_dll_amsi_suspicious_process.yml
title: Amsi.DLL Loaded Via LOLBIN Process
id: 6ec86d9e-912e-4726-91a2-209359b999b9
status: test
description: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
references:
    - Internal Research
    - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
modified: 2025-10-07
tags:
    - attack.defense-evasion
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\amsi.dll'
        Image|endswith:
            # TODO: Add more interesting processes
            - '\ExtExport.exe'
            - '\odbcconf.exe'
            # - '\regsvr32.exe' # legitimately calls amsi.dll
            - '\rundll32.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium
Amsi.DLL Loaded Via LOLBIN Process · SIGMA rule | DetectionLint