AgentExecutor PowerShell Execution (7efd2c8d-8b18-45b7-947d-adfe9ed04f61)
Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| AgentExecutor PowerShell Execution (7efd2c8d-8b18-45b7-947d-adfe9ed04f61) | Sigma-Rules | System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) | Attack Pattern | 1 |