Sigma rules · CVE-2018-0875 · threatengine.sh

Home/CVE-2018-0875/Sigma rules

Sigma

Sigma rules for CVE-2018-0875

2 rules · scoped to cve · back to CVE-2018-0875

Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

◈

Detection rules

2 of 2

direct medium

PowerShell Core DLL Loaded Via Office Application

Detects PowerShell core DLL being loaded by an Office Product

status test author Nasreddine Bencherchali (Nextron Systems) id bb2ba6fb-95d4-4a25-89fc-30bb736c021a license Sigma · DRL-1.1

view Sigma YAML

title: PowerShell Core DLL Loaded Via Office Application
id: bb2ba6fb-95d4-4a25-89fc-30bb736c021a
status: test
description: Detects PowerShell core DLL being loaded by an Office Product
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
tags:
    - attack.stealth
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\excel.exe'
            - '\mspub.exe'
            - '\outlook.exe'
            - '\onenote.exe'
            - '\onenoteim.exe' # Just in case
            - '\powerpnt.exe'
            - '\winword.exe'
        ImageLoaded|contains:
            - '\System.Management.Automation.Dll'
            - '\System.Management.Automation.ni.Dll'
    condition: selection
falsepositives:
    - Unknown
level: medium

direct medium

PowerShell Core DLL Loaded By Non PowerShell Process

Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.

status test author Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f license Sigma · DRL-1.1

view Sigma YAML

title: PowerShell Core DLL Loaded By Non PowerShell Process
id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f
related:
    - id: 867613fb-fa60-4497-a017-a82df74a172c
      type: obsolete
    - id: fe6e002f-f244-4278-9263-20e4b593827f
      type: obsolete
status: test
description: |
    Detects loading of essential DLLs used by PowerShell by non-PowerShell process.
    Detects behavior similar to meterpreter's "load powershell" extension.
references:
    - https://adsecurity.org/?p=2921
    - https://github.com/p3nt4/PowerShdll
author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2019-11-14
modified: 2025-10-07
tags:
    - attack.t1059.001
    - attack.execution
logsource:
    category: image_load
    product: windows
detection:
    selection:
        - Description: 'System.Management.Automation'
        - OriginalFileName: 'System.Management.Automation.dll'
        - ImageLoaded|endswith:
              - '\System.Management.Automation.dll'
              - '\System.Management.Automation.ni.dll'
    filter_main_powershell:
        Image:
            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe' # PowerShell 7 preview
            - 'C:\Program Files\PowerShell\7\pwsh.exe' # PowerShell 7
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
    filter_main_pwsh_preview:
        Image|contains:
            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
            - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
        Image|endswith: '\pwsh.exe'
    filter_main_generic:
        Image:
            - 'C:\Windows\System32\dsac.exe'
            - 'C:\WINDOWS\System32\RemoteFXvGPUDisablement.exe'
            - 'C:\Windows\System32\runscripthelper.exe'
            - 'C:\WINDOWS\System32\sdiagnhost.exe'
            - 'C:\Windows\System32\ServerManager.exe'
            - 'C:\Windows\System32\SyncAppvPublishingServer.exe'
            - 'C:\Windows\System32\winrshost.exe'
            - 'C:\Windows\System32\wsmprovhost.exe'
            - 'C:\Windows\SysWOW64\winrshost.exe'
            - 'C:\Windows\SysWOW64\wsmprovhost.exe'
    filter_main_dotnet:
        Image|startswith:
            - 'C:\Windows\Microsoft.NET\Framework\'
            - 'C:\Windows\Microsoft.NET\FrameworkArm\'
            - 'C:\Windows\Microsoft.NET\FrameworkArm64\'
            - 'C:\Windows\Microsoft.NET\Framework64\'
        Image|endswith: '\mscorsvw.exe'
    filter_optional_sql_server_mgmt:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft SQL Server Management Studio'
            - 'C:\Program Files\Microsoft SQL Server Management Studio'
        Image|endswith: '\IDE\Ssms.exe'
    filter_optional_sql_server_tools:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft SQL Server\'
            - 'C:\Program Files\Microsoft SQL Server\'
        Image|endswith: '\Tools\Binn\SQLPS.exe'
    filter_optional_citrix:
        Image|endswith: '\Citrix\ConfigSync\ConfigSyncRun.exe'
    filter_optional_vs:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft Visual Studio\'
            - 'C:\Program Files\Microsoft Visual Studio\'
    filter_optional_chocolatey:
        Image|startswith: 'C:\ProgramData\chocolatey\choco.exe'
    filter_optional_nextron:
        Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
        Image|endswith:
            - '\thor64.exe'
            - '\thor.exe'
        # User: 'NT AUTHORITY\SYSTEM'   # if set, matches all powershell processes not launched by SYSTEM
    filter_optional_aurora:
        # This filter is to avoid a race condition FP with this specific ETW provider in aurora
        Image: null
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Used by some .NET binaries, minimal on user workstation.
    - Used by Microsoft SQL Server Management Studio
level: medium

Showing 1-2 of 2

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin