Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

HackTool - Powerup Write Hijack DLL

Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Subhash PopuriCreated Sat Aug 21Updated Thu Jun 27602a1f13-c640-4d73-b053-be9a2fa58b96windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetFilename|endswith: '.bat'
    condition: selection
False Positives

Any powershell script that creates bat files

References
1
Resolving title…
powersploit.readthedocs.io
MITRE ATT&CK
Rule Metadata
Rule ID
602a1f13-c640-4d73-b053-be9a2fa58b96
Status
test
Level
high
Type
Detection
Created
Sat Aug 21
Modified
Thu Jun 27
Author
Subhash Popuri
Path
rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml
Raw Tags
attack.persistenceattack.privilege-escalationattack.defense-evasionattack.t1574.001
View on GitHub