title: DInject PowerShell Cradle CommandLine Flags
ruletype: Sigma
author: Florian Roth
date: 2021/12/07
description: Detects the use of the Dinject PowerShell cradle based on the specific
  flags
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine:
    - '* /am51*'
    - '* /password*'
  condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unlikely
id: d78b5d61-187d-44b6-bf02-93486a80de5a
level: critical
logsource:
  category: process_creation
  product: windows
references:
- https://github.com/snovvcrash/DInjector
status: experimental
tags:
- attack.defense_evasion
- attack.t1055