splApache-2.0from splunk/security_content
Powershell Fileless Process Injection via GetProcAddress
The following analytic detects the use of `GetProcAddress` in PowerShell script blocks, leveraging PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, which is then logged in Windows event logs. The presence of `GetProcAddress` is unusual for typical PowerShell scripts and often indicates malicious activity, as many attack toolkits use it to achieve code execution. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, potentially leading to system compromise. Analysts should review parallel processes and the entire logged script block for further investigation.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml
`powershell` EventCode=4104 ScriptBlockText=*getprocaddress*
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_fileless_process_injection_via_getprocaddress_filter`