HackTool - DInjector PowerShell Cradle Execution
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
HackTool - DInjector PowerShell Cradle Execution | Standard | Windows Security Event Log (Process Creation) Sysmon (ProcessCreate Event) | T1055: Process Injection (Defense Evasion and Privilege Escalation) | Critical |
About the rule
Rule Type
Standard
Rule Description
Detects the use of the Dinject PowerShell cradle based on specific command-line flags that indicate its execution, commonly used for process injection and privilege escalation.
Severity
Critical
Rule journey
Attack chain scenario
Defense Evasion (Process Injection), Privilege Escalation (Process Injection)
Impact
Stealthy code execution through process injection and elevation of privileges on Windows systems.
Rule Requirement
Prerequisites
Windows Event Viewer
- Log in to a domain controller.
- Open GPMC (gpmc.msc) and edit/create a GPO.
- Go to:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking- Enable Audit Process Creation (Success)
- Enable Audit Process Termination (Success)
- Go to:
Computer Configuration > Administrative Templates > System > Audit Process Creation- Enable Include command line in process creation events
- Ensure registry key exists:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Security-Auditing\Operational
Sysmon
- Download and install Sysmon.
- Open Command Prompt as admin.
- Use a config file with <ProcessCreate onmatch="exclude"/>.
- Install Sysmon with config: sysmon.exe -i [configfile.xml]
- Ensure registry key exists:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Sysmon\Operational
Criteria
Action1: actionname = "Process started" AND COMMANDLINE contains " /am51" AND COMMANDLINE contains " /password" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
T1055: Process Injection (Defense Evasion and Privilege Escalation)
Security Standards
Endpoint behavior prevention and privileged account management best practices, including use of Attack Surface Reduction rules and kernel-level restrictions.
Author
Florian Roth (Nextron Systems)
Future actions
Known False Positives
Unlikely; very low probability of false positives due to specific command-line flags and process names involved.
Next Steps
- Investigate detections for presence of edrsilencer.exe or matching command-line parameters.
- Conduct forensic analysis on affected endpoints for signs of process injection or privilege escalation.
- Isolate affected systems if malicious activity is confirmed.
- Review and enforce endpoint security controls and privilege management policies.
Mitigation
Mitigation ID | Name | Description |
M1040 | Behavior Prevention on Endpoint | Configure endpoint security solutions (e.g., Attack Surface Reduction rules) to block common process injection behaviors. |
M1026 | Privileged Account Management | Restrict process injection via kernel security settings (Linux Yama) or Windows security policies; deploy advanced access control modules like SELinux, AppArmor, or grsecurity. |
____________________________________________________________________________
