cscli scenarios install sigmahq/proc_creation_win_agentexecutor_susp_usage1type: trigger2name: sigmahq/proc_creation_win_agentexecutor_susp_usage3description: |4 Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\AgentExecutor.exe' || evt.Parsed.OriginalFileName == 'AgentExecutor.exe') && (evt.Parsed.CommandLine contains ' -powershell' || evt.Parsed.CommandLine contains ' -remediationScript') && not (evt.Parsed.CommandLine contains 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\' || evt.Parsed.CommandLine contains 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\' || evt.Parsed.ParentImage endsWith '\\Microsoft.Management.Services.IntuneWindowsAgent.exe'))7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t12181516 label: "Suspicious AgentExecutor PowerShell Execution"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324