Skip to content

Hide Navigation Hide TOC

Powerup Write Hijack DLL (602a1f13-c640-4d73-b053-be9a2fa58b96)

Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).

Cluster A Galaxy A Cluster B Galaxy B Level
DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Powerup Write Hijack DLL (602a1f13-c640-4d73-b053-be9a2fa58b96) Sigma-Rules 1
DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2