Suspicious AgentExecutor PowerShell Execution (c0b40568-b1e9-4b03-8d6c-b096da6da9ab)
Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) | Attack Pattern | Suspicious AgentExecutor PowerShell Execution (c0b40568-b1e9-4b03-8d6c-b096da6da9ab) | Sigma-Rules | 1 |