← Back to Explore
sigmamediumHunting
WinAPI Library Calls Via PowerShell Scripts
Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
Detection Query
selection:
ScriptBlockText|contains:
- Advapi32.dll
- kernel32.dll
- KernelBase.dll
- ntdll.dll
- secur32.dll
- user32.dll
condition: selection
Author
Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
Created
2023-07-21
Data Sources
windowsps_script
Platforms
windows
Tags
attack.executionattack.t1059.001attack.t1106detection.threat-hunting
Raw Content
title: WinAPI Library Calls Via PowerShell Scripts
id: 19d65a1c-8540-4140-8062-8eb00db0bba5
related:
- id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
type: similar
- id: 03d83090-8cba-44a0-b02f-0b756a050306
type: similar
- id: 9f22ccd5-a435-453b-af96-bf99cbb594d4
type: similar
status: test
description: Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-21
tags:
- attack.execution
- attack.t1059.001
- attack.t1106
- detection.threat-hunting
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Advapi32.dll'
- 'kernel32.dll'
- 'KernelBase.dll'
- 'ntdll.dll'
- 'secur32.dll'
- 'user32.dll'
condition: selection
falsepositives:
- Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)
- Chocolatey scripts
level: medium