EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Amsi.DLL Loaded Via LOLBIN Process

Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack

Detection Query

selection:
  ImageLoaded|endswith: \amsi.dll
  Image|endswith:
    - \ExtExport.exe
    - \odbcconf.exe
    - \rundll32.exe
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-06-01

Data Sources

windowsImage Load Events

Platforms

windows

References

Tags

attack.defense-evasion
Raw Content
title: Amsi.DLL Loaded Via LOLBIN Process
id: 6ec86d9e-912e-4726-91a2-209359b999b9
status: test
description: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
references:
    - Internal Research
    - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
modified: 2025-10-07
tags:
    - attack.defense-evasion
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\amsi.dll'
        Image|endswith:
            # TODO: Add more interesting processes
            - '\ExtExport.exe'
            - '\odbcconf.exe'
            # - '\regsvr32.exe' # legitimately calls amsi.dll
            - '\rundll32.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium