PowerShell Invoke-NinjaCopy script

  1[metadata]
  2creation_date = "2023/01/23"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/01/26"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects PowerShell script block content containing Invoke-NinjaCopy or related Stealth* functions used for direct volume
 11file access. Attackers use NinjaCopy to read locked system files such as NTDS.dit or registry hives for credential
 12dumping.
 13"""
 14from = "now-9m"
 15index = ["winlogbeat-*", "logs-windows.powershell*"]
 16language = "kuery"
 17license = "Elastic License v2"
 18name = "PowerShell Invoke-NinjaCopy script"
 19note = """## Triage and analysis
 20
 21> **Disclaimer**:
 22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 23
 24### Investigating PowerShell Invoke-NinjaCopy script
 25
 26This rule identifies PowerShell script block content referencing `Invoke-NinjaCopy` or related `Stealth*` helper functions. These functions are commonly used to perform direct volume file reads that can bypass normal file locking and access controls, enabling copies of sensitive credential stores (for example, `NTDS.dit` or registry hives like `SAM`, `SYSTEM`, and `SECURITY`). The presence of these strings can represent tool staging (definition/import) or active execution, so focus on determining intent, targeted artifacts, output locations, and surrounding activity.
 27
 28#### Key alert fields to review
 29
 30- `user.name`, `user.domain`, `user.id`: Account execution context for correlation, prioritization, and scoping.
 31- `host.name`, `host.id`: Host execution context for correlation, prioritization, and scoping.
 32- `powershell.file.script_block_text`: Script block content that matched the detection logic.
 33- `powershell.file.script_block_id`, `powershell.sequence`, `powershell.total`: Script block metadata to pivot to other fragments or reconstruct full script content when split across multiple events.
 34- `file.path`, `file.directory`, `file.name`: File-origin context when the script block is sourced from an on-disk file.
 35- `powershell.file.script_block_length`: Script block length (size) context.
 36
 37#### Possible investigation steps
 38
 39- Triage the alert context:
 40  - Identify the affected `host.name` / `host.id` and the account (`user.name`, `user.domain`, `user.id`).
 41  - Determine whether the host is expected to store credential material (for example, a directory services server) and whether the user is expected to perform privileged maintenance on it.
 42  - Use the alert time (`@timestamp`) to define an initial correlation window and expand as needed.
 43
 44- Analyze `powershell.file.script_block_text` to understand what was staged or executed:
 45  - Determine whether the content is primarily function definitions/module code (tool load) or includes direct invocation of `Invoke-NinjaCopy` and `Stealth*` functions.
 46  - Extract any referenced source artifacts (for example, `NTDS.dit` or registry hives) and any destination/output file names, directories, or remote paths.
 47  - Look for indicators of direct volume access, such as device/volume path handling, low-level file handle usage, delegates, or logic intended to bypass normal file locking.
 48  - Identify follow-on logic that would support collection and handling (copy loops, chunking, archiving, encoding, renaming, or cleanup).
 49
 50- Use script block metadata to reconstruct full content when logged in multiple parts:
 51  - Pivot on `powershell.file.script_block_id` for the same `host.id`.
 52  - Order fragments by `powershell.sequence` and confirm the final part count matches `powershell.total`.
 53  - If parts are missing, treat the content as incomplete and continue scoping for additional fragments.
 54  - Preserve the reconstructed content and the original fragment events for case evidence.
 55
 56- Determine script provenance when file context is present:
 57  - Review `file.path` / `file.name` (and `file.directory` if populated) to identify where the script was executed from.
 58  - Treat execution from user-writable or temporary locations as higher risk, and scope for other executions originating from the same path or directory on the host.
 59  - If file context is not present, consider interactive execution or remote delivery and expand scoping to other script blocks from the same `host.id` and `user.id` around the alert time.
 60
 61- Scope for related PowerShell activity on the endpoint:
 62  - Review additional Script Block Logging events for the same `host.id` and `user.id` around the alert time to identify staging, retries, and post-collection actions.
 63  - Use `powershell.file.script_block_length` to prioritize larger blocks that may contain full tooling, embedded functions, or post-processing logic.
 64  - Prioritize script blocks that reference the same artifact names or output locations observed in the matched content.
 65
 66- Assess prevalence across the environment:
 67  - Search for the same keywords within `powershell.file.script_block_text` (for example, `Invoke-NinjaCopy` and `StealthOpenFile`) across other hosts to identify broader deployment.
 68  - If `file.path` or `file.name` is present, use it to identify reuse of the same script file across multiple hosts or users.
 69
 70- Correlate with adjacent telemetry (if available) using `host.name`, `host.id`, `user.id`, and the alert time:
 71  - Process activity to identify the PowerShell host process and the parent/source that initiated it, and whether execution aligns with expected administrative workflows.
 72  - File activity to confirm whether copies of targeted artifacts were created, where they were written, and whether they were later archived or moved.
 73  - Network activity to identify outbound transfers or remote access shortly after script execution.
 74  - Authentication activity to identify suspicious logons, privilege use, or lateral movement following potential credential material collection.
 75
 76- Determine impact:
 77  - If the script indicates attempted access to directory services database files or registry hives, treat this as potential credential exposure until corroborating telemetry shows otherwise and respond accordingly.
 78
 79### False positive analysis
 80
 81- Approved security testing, adversary emulation, or controlled red team activity that includes NinjaCopy-derived code.
 82- Authorized incident response, forensic acquisition, or recovery workflows that require copying locked system files.
 83- Administrative tooling that embeds similar helper functions for troubleshooting or backup operations (uncommon); validate ownership, expected hosts, and change control.
 84
 85### Response and remediation
 86
 87- If the activity is not expected or cannot be attributed to an approved task:
 88  - Isolate the affected host to prevent additional collection, staging, or lateral movement.
 89  - Take immediate steps to prevent further use of the implicated account (`user.id`) until legitimacy is confirmed.
 90
 91- Preserve and collect evidence:
 92  - Save the full `powershell.file.script_block_text` and reconstruct missing fragments using `powershell.file.script_block_id`, `powershell.sequence`, and `powershell.total` where applicable.
 93  - Record `@timestamp`, `host.name`, `host.id`, `user.name`, `user.domain`, `user.id`, and any available `file.path` / `file.name` context.
 94  - Identify any destination/output locations referenced in the script content and preserve related artifacts (copied files, archives, temporary staging).
 95
 96- Assess credential exposure and potential follow-on activity:
 97  - Use available endpoint telemetry to determine whether credential stores were successfully copied or staged.
 98  - If credential stores may have been accessed or copied, follow your credential containment process and prioritize rotation of impacted and privileged credentials.
 99
100- Eradicate and scope:
101  - Remove unauthorized scripts and supporting artifacts identified from `file.path` / `file.name` and from any output locations referenced in the script.
102  - Hunt for additional NinjaCopy-related script blocks across endpoints and for subsequent suspicious authentication activity associated with the same user and host context.
103
104- Recover and harden:
105  - Restore affected systems as needed and validate that no persistence remains.
106  - Reduce recurrence by tightening administrative scripting governance for PowerShell (least privilege, controlled script deployment locations, and application control where feasible) and by restricting access to systems that store credential material.
107"""
108references = [
109    "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1",
110]
111risk_score = 73
112rule_id = "b8386923-b02c-4b94-986a-d223d9b01f88"
113severity = "high"
114tags = [
115    "Domain: Endpoint",
116    "OS: Windows",
117    "Use Case: Threat Detection",
118    "Tactic: Credential Access",
119    "Data Source: PowerShell Logs",
120    "Resources: Investigation Guide",
121]
122timestamp_override = "event.ingested"
123type = "query"
124
125query = '''
126event.category:process and host.os.type:windows and
127  powershell.file.script_block_text : (
128    "StealthReadFile" or
129    "StealthReadFileAddr" or
130    "StealthCloseFileDelegate" or
131    "StealthOpenFile" or
132    "StealthCloseFile" or
133    "StealthReadFile" or
134    "Invoke-NinjaCopy"
135   )
136  and not user.id : "S-1-5-18"
137  and not powershell.file.script_block_text : (
138    "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
139  )
140'''
141
142
143[[rule.threat]]
144framework = "MITRE ATT&CK"
145[[rule.threat.technique]]
146id = "T1003"
147name = "OS Credential Dumping"
148reference = "https://attack.mitre.org/techniques/T1003/"
149[[rule.threat.technique.subtechnique]]
150id = "T1003.002"
151name = "Security Account Manager"
152reference = "https://attack.mitre.org/techniques/T1003/002/"
153
154[[rule.threat.technique.subtechnique]]
155id = "T1003.003"
156name = "NTDS"
157reference = "https://attack.mitre.org/techniques/T1003/003/"
158
159
160
161[rule.threat.tactic]
162id = "TA0006"
163name = "Credential Access"
164reference = "https://attack.mitre.org/tactics/TA0006/"
165[[rule.threat]]
166framework = "MITRE ATT&CK"
167[[rule.threat.technique]]
168id = "T1059"
169name = "Command and Scripting Interpreter"
170reference = "https://attack.mitre.org/techniques/T1059/"
171[[rule.threat.technique.subtechnique]]
172id = "T1059.001"
173name = "PowerShell"
174reference = "https://attack.mitre.org/techniques/T1059/001/"
175
176
177
178[rule.threat.tactic]
179id = "TA0002"
180name = "Execution"
181reference = "https://attack.mitre.org/tactics/TA0002/"
182[[rule.threat]]
183framework = "MITRE ATT&CK"
184[[rule.threat.technique]]
185id = "T1006"
186name = "Direct Volume Access"
187reference = "https://attack.mitre.org/techniques/T1006/"
188
189
190[rule.threat.tactic]
191id = "TA0005"
192name = "Defense Evasion"
193reference = "https://attack.mitre.org/tactics/TA0005/"
194
195
196[rule.investigation_fields]
197field_names = [
198    "@timestamp",
199    "user.name",
200    "user.id",
201    "user.domain",
202    "powershell.file.script_block_text",
203    "powershell.file.script_block_id",
204    "powershell.sequence",
205    "powershell.total",
206    "file.path",
207    "file.directory",
208    "file.name",
209    "process.pid",
210    "host.name",
211    "host.id",
212    "powershell.file.script_block_length"
213]