← Back to SOC feed Coverage →

RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses

sigma HIGH SigmaHQ
T1218
imProcessCreate
powershell
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-12T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects calls to the AtomicTestHarnesses “Invoke-ATHRemoteFXvGPUDisablementCommand” which is designed to abuse the “RemoteFXvGPUDisablement.exe” binary to run custom PowerShell code via module load-or

Detection Rule

Sigma (Original)

title: RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
related:
    - id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
      type: similar
    - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
      type: similar
    - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock
      type: similar
status: test
description: Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
    - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: frack113
date: 2021-07-13
modified: 2023-05-09
tags:
    - attack.stealth
    - attack.t1218
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'Invoke-ATHRemoteFXvGPUDisablementCommand'
            - 'Invoke-ATHRemoteFXvGPUDisableme'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessCommandLine contains "Invoke-ATHRemoteFXvGPUDisablementCommand" or TargetProcessCommandLine contains "Invoke-ATHRemoteFXvGPUDisableme"

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml