Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock | Standard | Windows | Defense Evasion: System Binary Proxy Execution (T1218) | Critical |
About the rule
Rule Type
Standard
Rule Description
This rule detects suspicious PowerShell script execution patterns involving the creation of a function named Get-VMRemoteFXPhysicalVideoAdapter. This specific pattern has been observed in attempts to abuse the vulnerable RemoteFXvGPUDisablement.exe binary through module load-order hijacking. Attackers may drop a malicious PowerShell module that gets executed when this binary is launched, enabling them to execute arbitrary code in a stealthy manner.
Severity
Trouble
Rule journey
Attack chain scenario
Compromised RMM software → Dropping malicious PowerShell module → Execution triggered through RemoteFXvGPUDisablement.exe → Code injection → Remote WMI
Impact
- Execution of an unauthorized code
- Bypass security controls
- Lateral movement
Rule Requirement
Prerequisites
Logon to Group Policy Management Console with administrative privileges and enable Module Logging for Windows PowerShell in the Group Policy Management Editor. Ensure to enter * in the Module Names window to record all modules. Similarly enable PowerShell Script Block Logging for Windows PowerShell. Finally, create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".
Criteria
Action1: actionname = "PowerShell Script Block Logged" AND SCRIPTEXECUTED startswith "function Get-VMRemoteFXPhysicalVideoAdapter {" select Action1.HOSTNAME,Action1.MESSAGE,Action1.SCRIPTEXECUTED
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Defense Evasion: System Binary Proxy Execution (T1218)
Security standard:
Enabling this rule will help you meet the security standard's requirement listed below:
DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.
When this rule is triggered, you're notified of the execution of PowerShell script which begins with a function named Get-VMRemoteFXPhysicalVideoAdapter. This enables you to monitor runtime environments like PowerShell, identify potential credential compromises, and detect attempts to create AD snapshots.
Author
Nasreddine Bencherchali (Nextron Systems)
Future actions
Known False Positives
This rule might trigger during legitimate script testing or development if administrators manually define the Get-VMRemoteFXPhysicalVideoAdapter function for troubleshooting or configuration purposes.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Audit PowerShell activities: Monitor script block logging for function declarations mimicking legitimate modules.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
Disable or remove native binaries that aren't essential to your environment to reduce potential attack surfaces. | ||
Consider implementing application control to prevent the execution of binaries that are prone to abuse and aren't required for a specific system or network. | ||
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can help block methods that use trusted binaries to bypass application control. | ||
Utilize network appliances to filter incoming and outgoing traffic and perform protocol-based filtering. Also, configure software on endpoints to filter network traffic. | ||
Restrict the execution of particularly vulnerable binaries to only those privileged accounts or groups that absolutely require them, thereby reducing opportunities for malicious use. | ||
Restrict the use of certain websites, block downloads and attachments, disable JavaScript, and limit browser extensions to enhance security. |
