Detectionmediumtest

AgentExecutor PowerShell Execution

Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems), memory-shardsCreated Sat Dec 24Updated Wed Aug 077efd2c8d-8b18-45b7-947d-adfe9ed04f61windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image: '\AgentExecutor.exe'
        - OriginalFileName: 'AgentExecutor.exe'
    selection_cli:
        # Example:
        #   AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64]
        # Note:
        #   - If [timeoutSeconds] is NULL then it defaults to 60000
        #   - If [enforceSignatureCheck] is:
        #       - "NULL" or "1" then a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy allsigned -file "
        #       - Else a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy bypass -file "
        #   - [powershellPath] is always concatendated to "powershell.exe"
        CommandLine|contains:
            - ' -powershell' # Also covers the "-powershellDetection" flag
            - ' -remediationScript'
    filter_main_intune:
        ParentImage|endswith: '\Microsoft.Management.Services.IntuneWindowsAgent.exe'
    condition: all of selection_* and not 1 of filter_main_*