The detection identifies an adversary leveraging Powerup’s Write Hijack DLL technique to exploit DLL hijacking and execute a self-deleting batch file for privilege escalation. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistence and lateral movement tactics early.
Detection Rule
title: HackTool - Powerup Write Hijack DLL
id: 602a1f13-c640-4d73-b053-be9a2fa58b96
status: test
description: |
Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.
In it's default mode, it builds a self deleting .bat file which executes malicious command.
The detection rule relies on creation of the malicious bat file (debug.bat by default).
references:
- https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/
author: Subhash Popuri (@pbssubhash)
date: 2021-08-21
modified: 2024-06-27
tags:
- attack.persistence
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1574.001
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetFilename|endswith: '.bat'
condition: selection
falsepositives:
- Any powershell script that creates bat files # highly unlikely (untested)
level: high
imFileEvent
| where (TargetFilePath endswith "\\powershell.exe" or TargetFilePath endswith "\\pwsh.exe") and TargetFileName endswith ".bat"Scenario: Legitimate DLL Hijacking via Scheduled Task
Description: A system administrator schedules a task that uses a legitimate DLL from a trusted directory, which is mistakenly flagged as a hijack.
Filter/Exclusion: Exclude processes initiated by scheduled tasks with known legitimate paths, e.g., C:\Windows\System32\ or C:\Windows\SysWOW64\. Use a filter like:
(process.parent_process_name == "schtasks.exe") && (process.path contains "C:\Windows")Scenario: PowerToys or Similar Tools Using DLL Hijacking
Description: A user is running PowerToys or another legitimate tool that dynamically loads DLLs from a local directory, which is flagged as a hijack.
Filter/Exclusion: Exclude processes from known legitimate tools like PowerToys.exe or TaskbarMover.exe by checking the process name:
(process.name == "PowerToys.exe") || (process.name == "TaskbarMover.exe")Scenario: Administrative Task Using Self-Deleting Batch File
Description: A system administrator creates a self-deleting batch file to perform a one-time cleanup or configuration change, which is mistakenly flagged as malicious.
Filter/Exclusion: Exclude processes that are initiated by administrative tasks or scripts, such as those launched via cmd.exe with a known legitimate script path:
(process.name == "cmd.exe") && (process.command_line contains "C:\Windows\System32\")Scenario: DLL Hijacking for Compatibility or Legacy Support
Description: A developer or admin uses DLL hijacking to ensure compatibility with legacy applications, which is a legitimate practice in some environments.
Filter/Exclusion: