Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Definition
bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection:
ScriptBlockText|startswith: 'function Get-VMRemoteFXPhysicalVideoAdapter {'
condition: selectionFalse positive likelihood has not been assessed. Additional context may be needed during triage.
Tactics
Techniques
RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
Detects similar activity. Both rules may fire on overlapping events.
Potential RemoteFXvGPUDisablement.EXE Abuse
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
Detects similar activity. Both rules may fire on overlapping events.
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
Detects similar activity. Both rules may fire on overlapping events.