Potential RemoteFXvGPUDisablement.EXE Abuse (f65e22f9-819e-4f96-9c7b-498364ae7a25)
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Potential RemoteFXvGPUDisablement.EXE Abuse (f65e22f9-819e-4f96-9c7b-498364ae7a25) | Sigma-Rules | System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) | Attack Pattern | 1 |