GitHub

powershell_pinvoke_process_injection_api_chain.yml

The following analytic detects PowerShell Script Block Logging (Event ID 4104) evidence of a complete P/Invoke process-injection API chain at either the compile phase or the execution phase. Portions ...
GitHub

t1055-powershell-process-injection-sequence-partial.yaml

description: Detects suspicious PowerShell script blocks where a partial process injection sequence is observed, potentially indicating a failed attempt or staging. - Administrative scripting or ...