Potential PowerShell HackTool Script by Function Names

  1[metadata]
  2creation_date = "2023/01/17"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/02/09"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects PowerShell scripts containing function names and helpers from common offensive frameworks and tools used for
 11discovery, credential access, injection, persistence, and exfiltration. Attackers often reuse these public functions
 12with minimal changes, leaving recognizable function-name artifacts.
 13"""
 14from = "now-9m"
 15index = ["winlogbeat-*", "logs-windows.powershell*"]
 16language = "kuery"
 17license = "Elastic License v2"
 18name = "Potential PowerShell HackTool Script by Function Names"
 19note = """## Triage and analysis
 20
 21> **Disclaimer**:
 22> This guide was created by humans with the assistance of generative AI. While its contents have been manually curated to include the most valuable information, always validate assumptions and adjust procedures to match your internal runbooks and incident triage and response policies.
 23
 24### Investigating Potential PowerShell HackTool Script by Function Names
 25
 26This rule identifies PowerShell Script Block Logging events where the captured script content includes function names commonly reused by offensive PowerShell toolkits. Script blocks can contain function definitions (tool staging) and/or function invocation (active use). Prioritize determining what capability is present, how the script was introduced, and whether follow-on activity occurred.
 27
 28#### Key alert fields to review
 29
 30- `user.name`, `user.domain`, `user.id`: Account execution context for correlation, prioritization, and scoping.
 31- `host.name`, `host.id`: Host execution context for correlation, prioritization, and scoping.
 32- `powershell.file.script_block_text`: Script block content that matched the detection logic.
 33- `powershell.file.script_block_id`, `powershell.sequence`, `powershell.total`: Script block metadata to pivot to other fragments or reconstruct full script content when split across multiple events.
 34- `file.path`, `file.directory`, `file.name`: File-origin context when the script block is sourced from an on-disk file.
 35- `powershell.file.script_block_length`: Script block length (size) context.
 36
 37#### Possible investigation steps
 38
 39- Review `powershell.file.script_block_text` to determine intent and urgency:
 40  - Identify the function name(s) present and map them to likely capability. Examples include:
 41    - Credential access: `Invoke-Mimikatz`, `Invoke-Kerberoast`, `Invoke-DCSync`, `Get-GPPPassword`, `Get-LSASecret`.
 42    - Injection or token manipulation: `Invoke-ReflectivePEInjection`, `Create-RemoteThread`, `Inject-RemoteShellcode`, `Invoke-TokenManipulation`.
 43    - Remote execution or lateral movement: `Invoke-PsExec`, `Invoke-SMBExec`, `Invoke-WmiCommand`, `Invoke-PSRemoting`, `Invoke-DCOM`.
 44    - Staging, persistence, or exfiltration: `Invoke-DownloadCradle`, `Add-Persistence`, `HTTP-Backdoor`, `Do-Exfiltration`.
 45  - Determine whether the script block primarily defines functions (tool staging) or calls them (active use). If only definitions are present, look for follow-on script blocks from the same host and user that invoke the functions.
 46  - Capture any embedded targets or indicators visible in the text (other usernames, hostnames, domains, remote paths, URLs, or IP addresses).
 47
 48- Reconstruct the complete script when it is split across multiple events:
 49  - Pivot using `host.name` (or `host.id`) and `powershell.file.script_block_id` to collect related script blocks around `@timestamp`.
 50  - Order fragments using `powershell.sequence` and confirm completeness using `powershell.total`.
 51  - Use `powershell.file.script_block_length` as a size signal to distinguish a full toolkit/module from a small launcher or single command.
 52
 53- Establish script origin and execution context:
 54  - If `file.path` / `file.name` (and `file.directory`) are present, treat the script as an on-disk artifact. Validate whether its location and naming align with approved scripts and expected administrative workflows for that host and user.
 55  - If file fields are not present, treat the activity as potentially interactive or in-memory. Correlate other endpoint telemetry from the same `host.id` and time window to identify how PowerShell was started and what else executed immediately before and after.
 56
 57- Validate the account and host context:
 58  - Review `user.name`, `user.domain`, and `user.id` for privilege level and whether the activity aligns with expected responsibilities and working hours.
 59  - Review `host.name` and `host.id` to understand the system role and whether advanced PowerShell activity is expected on that host.
 60
 61- Scope for additional related activity on the same host:
 62  - Search for other script blocks on the same `host.id` and `user.id` near the alert time to identify staging, follow-on commands, or cleanup actions.
 63  - Pivot on `powershell.file.script_block_id` to ensure all fragments are reviewed and to detect repeated execution of the same script content.
 64
 65- Scope for related activity across the environment:
 66  - Search for additional script blocks containing the same distinctive function name(s) or matching snippets of `powershell.file.script_block_text` to identify reuse and potential spread.
 67  - If `file.path` or `file.name` is present, check for the same script artifact referenced on other hosts.
 68
 69- Correlate with adjacent telemetry (as available) to confirm impact and intent:
 70  - Process telemetry to identify the initiating process (parent of PowerShell) and any suspicious child processes spawned after the script executed.
 71  - Authentication telemetry to identify anomalous logons or access patterns involving the same user around the execution window.
 72  - Network and DNS telemetry to identify outbound connections, internal scanning, or remote management activity aligned with `@timestamp`.
 73  - Persistence telemetry to identify new or modified services, scheduled tasks, autoruns, or registry changes that align with the observed script capability.
 74
 75### False positive analysis
 76
 77- Internal security or IT teams may run proof-of-concept or validation scripts for training, detection testing, or incident response. Confirm script ownership, change control, and expected distribution.
 78
 79### Response and remediation
 80
 81- If the activity is unauthorized or suspicious:
 82  - Contain the affected host to prevent additional execution and lateral movement.
 83  - Preserve evidence by saving all related script block events (reconstruct full content using `powershell.file.script_block_id`, `powershell.sequence`, and `powershell.total`) and collecting any referenced on-disk script identified by `file.path`.
 84  - Prioritize impact assessment based on the functions observed (credential access, injection, remote execution, persistence, or exfiltration) and look for corroborating activity in adjacent telemetry.
 85  - Scope for additional impacted systems and accounts by searching for the same function names or script snippets across other hosts and users.
 86  - Remove identified artifacts and persistence mechanisms, and monitor for re-execution using the same function-name patterns.
 87
 88- If the activity is confirmed benign:
 89  - Document the justification (owner, purpose, expected hosts/users, and time window) and retain the reconstructed script content for future baselining.
 90  - Where feasible, limit high-risk PowerShell tooling to controlled administrative hosts and approved accounts to reduce recurrence.
 91"""
 92references = [
 93    "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md",
 94    "https://github.com/BC-SECURITY/Empire",
 95    "https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/",
 96]
 97risk_score = 47
 98rule_id = "cde1bafa-9f01-4f43-a872-605b678968b0"
 99setup = """## Setup
100
101PowerShell Script Block Logging must be enabled to generate the events used by this rule (e.g., 4104).
102Setup instructions: https://ela.st/powershell-logging-setup
103"""
104severity = "medium"
105tags = [
106    "Domain: Endpoint",
107    "OS: Windows",
108    "Use Case: Threat Detection",
109    "Tactic: Execution",
110    "Data Source: PowerShell Logs",
111    "Resources: Investigation Guide",
112]
113timestamp_override = "event.ingested"
114type = "query"
115
116query = '''
117event.category:process and host.os.type:windows and
118  powershell.file.script_block_text : (
119    "Add-DomainGroupMember" or "Add-DomainObjectAcl" or
120    "Add-RemoteConnection" or "Add-ServiceDacl" or
121    "Add-Win32Type" or "Convert-ADName" or
122    "Convert-LDAPProperty" or "ConvertFrom-LDAPLogonHours" or
123    "ConvertFrom-UACValue" or "Copy-ArrayOfMemAddresses" or
124    "Create-NamedPipe" or "Create-ProcessWithToken" or
125    "Create-RemoteThread" or "Create-SuspendedWinLogon" or
126    "Create-WinLogonProcess" or "Emit-CallThreadStub" or
127    "Enable-SeAssignPrimaryTokenPrivilege" or "Enable-SeDebugPrivilege" or
128    "Enum-AllTokens" or "Export-PowerViewCSV" or
129    "Find-AVSignature" or "Find-AppLockerLog" or
130    "Find-DomainLocalGroupMember" or "Find-DomainObjectPropertyOutlier" or
131    "Find-DomainProcess" or "Find-DomainShare" or
132    "Find-DomainUserEvent" or "Find-DomainUserLocation" or
133    "Find-InterestingDomainAcl" or "Find-InterestingDomainShareFile" or
134    "Find-InterestingFile" or "Find-LocalAdminAccess" or
135    "Find-PSScriptsInPSAppLog" or "Find-PathDLLHijack" or
136    "Find-ProcessDLLHijack" or "Find-RDPClientConnection" or
137    "Get-AllAttributesForClass" or "Get-CachedGPPPassword" or
138    "Get-DecryptedCpassword" or "Get-DecryptedSitelistPassword" or
139    "Get-DelegateType" or "New-RelayEnumObject" or
140    "Get-DomainDFSShare" or "Get-DomainDFSShareV1" or
141    "Get-DomainDFSShareV2" or "Get-DomainDNSRecord" or
142    "Get-DomainDNSZone" or "Get-DomainFileServer" or
143    "Get-DomainForeignGroupMember" or "Get-DomainForeignUser" or
144    "Get-DomainGPO" or "Get-DomainGPOComputerLocalGroupMapping" or
145    "Get-DomainGPOLocalGroup" or "Get-DomainGPOUserLocalGroupMapping" or
146    "Get-DomainGUIDMap" or "Get-DomainGroup" or
147    "Get-DomainGroupMember" or "Get-DomainGroupMemberDeleted" or
148    "Get-DomainManagedSecurityGroup" or "Get-DomainOU" or
149    "Get-DomainObject" or "Get-DomainObjectAcl" or
150    "Get-DomainObjectAttributeHistory" or "Get-DomainObjectLinkedAttributeHistory" or
151    "Get-DomainPolicyData" or "Get-DomainSID" or
152    "Get-DomainSPNTicket" or "Get-DomainSearcher" or
153    "Get-DomainSite" or "Get-DomainSubnet" or
154    "Get-DomainTrust" or "Get-DomainTrustMapping" or
155    "Get-DomainUser" or "Get-DomainUserEvent" or
156    "Get-Forest" or "Get-ForestDomain" or
157    "Get-ForestGlobalCatalog" or "Get-ForestSchemaClass" or
158    "Get-ForestTrust" or "Get-GPODelegation" or
159    "Get-GPPAutologon" or "Get-GPPInnerField" or
160    "Get-GPPInnerFields" or "Get-GPPPassword" or
161    "Get-GptTmpl" or "Get-GroupsXML" or
162    "Get-HttpStatus" or "Get-ImageNtHeaders" or
163    "Get-Keystrokes" or "New-SOASerialNumberArray" or
164    "Get-MemoryProcAddress" or "Get-MicrophoneAudio" or
165    "Get-ModifiablePath" or "Get-ModifiableRegistryAutoRun" or
166    "Get-ModifiableScheduledTaskFile" or "Get-ModifiableService" or
167    "Get-ModifiableServiceFile" or "Get-Name" or
168    "Get-NetComputerSiteName" or "Get-NetLocalGroup" or
169    "Get-NetLocalGroupMember" or "Get-NetLoggedon" or
170    "Get-NetRDPSession" or "Get-NetSession" or
171    "Get-NetShare" or "Get-PEArchitecture" or
172    "Get-PEBasicInfo" or "Get-PEDetailedInfo" or
173    "Get-PathAcl" or "Get-PrimaryToken" or
174    "Get-ProcAddress" or "Get-ProcessTokenGroup" or
175    "Get-ProcessTokenPrivilege" or "Get-ProcessTokenType" or
176    "Get-RegLoggedOn" or "Get-RegistryAlwaysInstallElevated" or
177    "Get-RegistryAutoLogon" or "Get-RemoteProcAddress" or
178    "Get-Screenshot" or "Get-ServiceDetail" or
179    "Get-SiteListPassword" or "Get-SitelistField" or
180    "Get-System" or "Get-SystemNamedPipe" or
181    "Get-SystemToken" or "Get-ThreadToken" or
182    "Get-TimedScreenshot" or "Get-TokenInformation" or
183    "Get-TopPort" or "Get-UnattendedInstallFile" or
184    "Get-UniqueTokens" or "Get-UnquotedService" or
185    "Get-VaultCredential" or "Get-VaultElementValue" or
186    "Get-VirtualProtectValue" or "Get-VolumeShadowCopy" or
187    "Get-WMIProcess" or "Get-WMIRegCachedRDPConnection" or
188    "Get-WMIRegLastLoggedOn" or "Get-WMIRegMountedDrive" or
189    "Get-WMIRegProxy" or "Get-WebConfig" or
190    "Get-Win32Constants" or "Get-Win32Functions" or
191    "Get-Win32Types" or "Import-DllImports" or
192    "Import-DllInRemoteProcess" or "Inject-LocalShellcode" or
193    "Inject-RemoteShellcode" or "Install-ServiceBinary" or
194    "Invoke-CompareAttributesForClass" or "Invoke-CreateRemoteThread" or
195    "Invoke-CredentialInjection" or "Invoke-DllInjection" or
196    "Invoke-EventVwrBypass" or "Invoke-ImpersonateUser" or
197    "Invoke-Kerberoast" or "Invoke-MemoryFreeLibrary" or
198    "Invoke-MemoryLoadLibrary" or
199    "Invoke-Mimikatz" or "Invoke-NinjaCopy" or
200    "Invoke-PatchDll" or "Invoke-Portscan" or
201    "Invoke-PrivescAudit" or "Invoke-ReflectivePEInjection" or
202    "Invoke-ReverseDnsLookup" or "Invoke-RevertToSelf" or
203    "Invoke-ServiceAbuse" or "Invoke-Shellcode" or
204    "Invoke-TokenManipulation" or "Invoke-UserImpersonation" or
205    "Invoke-WmiCommand" or "Mount-VolumeShadowCopy" or
206    "New-ADObjectAccessControlEntry" or "New-DomainGroup" or
207    "New-DomainUser" or "New-DynamicParameter" or
208    "New-InMemoryModule" or
209    "New-ThreadedFunction" or "New-VolumeShadowCopy" or
210    "Out-CompressedDll" or "Out-EncodedCommand" or
211    "Out-EncryptedScript" or "Out-Minidump" or
212    "PortScan-Alive" or "Portscan-Port" or
213    "Remove-DomainGroupMember" or "Remove-DomainObjectAcl" or
214    "Remove-RemoteConnection" or "Remove-VolumeShadowCopy" or
215    "Restore-ServiceBinary" or "Set-DesktopACLToAllowEveryone" or
216    "Set-DesktopACLs" or "Set-DomainObject" or
217    "Set-DomainObjectOwner" or "Set-DomainUserPassword" or
218    "Set-ServiceBinaryPath" or "Sub-SignedIntAsUnsigned" or
219    "Test-AdminAccess" or "Test-MemoryRangeValid" or
220    "Test-ServiceDaclPermission" or "Update-ExeFunctions" or
221    "Update-MemoryAddresses" or "Update-MemoryProtectionFlags" or
222    "Write-BytesToMemory" or "Write-HijackDll" or
223    "Write-PortscanOut" or "Write-ServiceBinary" or
224    "Write-UserAddMSI" or "Invoke-Privesc" or
225    "func_get_proc_address" or "Invoke-BloodHound" or
226    "Invoke-HostEnum" or "Get-BrowserInformation" or
227    "Get-DomainAccountPolicy" or "Get-DomainAdmins" or
228    "Get-AVProcesses" or "Get-AVInfo" or
229    "Get-RecycleBin" or "Invoke-BruteForce" or
230    "Get-PassHints" or "Invoke-SessionGopher" or
231    "Get-LSASecret" or "Get-PassHashes" or
232    "Invoke-WdigestDowngrade" or "Get-ChromeDump" or
233    "Invoke-DomainPasswordSpray" or "Get-FoxDump" or
234    "New-HoneyHash" or "Invoke-DCSync" or
235    "Invoke-PowerDump" or "Invoke-SSIDExfil" or
236    "Invoke-PowerShellTCP" or "Add-Exfiltration" or
237    "Do-Exfiltration" or "Invoke-DropboxUpload" or
238    "Invoke-ExfilDataToGitHub" or "Invoke-EgressCheck" or
239    "Invoke-PostExfil" or "Create-MultipleSessions" or
240    "Invoke-NetworkRelay" or "New-GPOImmediateTask" or
241    "Invoke-WMIDebugger" or "Invoke-SQLOSCMD" or
242    "Invoke-SMBExec" or "Invoke-PSRemoting" or
243    "Invoke-ExecuteMSBuild" or "Invoke-DCOM" or
244    "Invoke-InveighRelay" or "Invoke-PsExec" or
245    "Find-ActiveUsersWMI" or
246    "Get-SystemDrivesWMI" or "Get-ActiveNICSWMI" or
247    "Remove-Persistence" or "DNS_TXT_Pwnage" or
248    "Execute-OnTime" or "HTTP-Backdoor" or
249    "Add-ConstrainedDelegationBackdoor" or "Add-RegBackdoor" or
250    "Add-ScrnSaveBackdoor" or "Gupt-Backdoor" or
251    "Invoke-ADSBackdoor" or "Add-Persistence" or
252    "Invoke-ResolverBackdoor" or "Invoke-EventLogBackdoor" or
253    "Invoke-DeadUserBackdoor" or "Invoke-DisableMachineAcctChange" or
254    "Invoke-AccessBinary" or "Add-NetUser" or
255    "Invoke-Schtasks" or "Invoke-JSRatRegsvr" or
256    "Invoke-JSRatRundll" or "Invoke-PoshRatHttps" or
257    "Invoke-PsGcatAgent" or "Remove-PoshRat" or
258    "Install-SSP" or "Invoke-BackdoorLNK" or
259    "PowerBreach" or "InstallEXE-Persistence" or
260    "RemoveEXE-Persistence" or "Install-ServiceLevel-Persistence" or
261    "Remove-ServiceLevel-Persistence" or "Invoke-Prompt" or
262    "Invoke-PacketCapture" or "Start-WebcamRecorder" or
263    "Get-USBKeyStrokes" or "Invoke-KeeThief" or
264    "Get-Keystrokes" or "Invoke-NetRipper" or
265    "Get-EmailItems" or "Invoke-MailSearch" or
266    "Invoke-SearchGAL" or "Get-WebCredentials" or
267    "Start-CaptureServer" or "Invoke-PowerShellIcmp" or
268    "Invoke-PowerShellTcpOneLine" or "Invoke-PowerShellTcpOneLineBind" or
269    "Invoke-PowerShellUdp" or "Invoke-PowerShellUdpOneLine" or
270    "Run-EXEonRemote" or "Download-Execute-PS" or
271    "Out-RundllCommand" or "Set-RemoteWMI" or
272    "Set-DCShadowPermissions" or "Invoke-PowerShellWMI" or
273    "Invoke-Vnc" or "Invoke-LockWorkStation" or
274    "Invoke-EternalBlue" or "Invoke-ShellcodeMSIL" or
275    "Invoke-MetasploitPayload" or "Invoke-DowngradeAccount" or
276    "Invoke-RunAs" or "ExetoText" or
277    "Disable-SecuritySettings" or "Set-MacAttribute" or
278    "Invoke-MS16032" or "Invoke-BypassUACTokenManipulation" or
279    "Invoke-SDCLTBypass" or "Invoke-FodHelperBypass" or
280    "Invoke-EventVwrBypass" or "Invoke-EnvBypass" or
281    "Get-ServiceUnquoted" or "Get-ServiceFilePermission" or
282    "Get-ServicePermission" or
283    "Enable-DuplicateToken" or "Invoke-PsUaCme" or
284    "Invoke-Tater" or "Invoke-WScriptBypassUAC" or
285    "Invoke-AllChecks" or "Find-TrustedDocuments" or
286    "Invoke-Interceptor" or "Invoke-PoshRatHttp" or
287    "Invoke-ExecCommandWMI" or "Invoke-KillProcessWMI" or
288    "Invoke-CreateShareandExecute" or "Invoke-RemoteScriptWithOutput" or
289    "Invoke-SchedJobManipulation" or "Invoke-ServiceManipulation" or
290    "Invoke-PowerOptionsWMI" or "Invoke-DirectoryListing" or
291    "Invoke-FileTransferOverWMI" or "Invoke-WMImplant" or
292    "Invoke-WMIObfuscatedPSCommand" or "Invoke-WMIDuplicateClass" or
293    "Invoke-WMIUpload" or "Invoke-WMIRemoteExtract" or "Invoke-winPEAS" or
294    "Invoke-AzureHound" or "Invoke-SharpHound" or "Invoke-DownloadCradle" or
295    "Invoke-AppPathBypass"
296  ) and
297  not powershell.file.script_block_text : (
298    "sentinelbreakpoints" and "Set-PSBreakpoint"
299  ) and
300  not user.id : ("S-1-5-18" or "S-1-5-19")
301'''
302
303
304[[rule.filters]]
305
306[rule.filters.meta]
307negate = true
308[rule.filters.query.wildcard."file.path"]
309case_insensitive = true
310value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"
311[[rule.threat]]
312framework = "MITRE ATT&CK"
313[[rule.threat.technique]]
314id = "T1059"
315name = "Command and Scripting Interpreter"
316reference = "https://attack.mitre.org/techniques/T1059/"
317[[rule.threat.technique.subtechnique]]
318id = "T1059.001"
319name = "PowerShell"
320reference = "https://attack.mitre.org/techniques/T1059/001/"
321
322
323
324[rule.threat.tactic]
325id = "TA0002"
326name = "Execution"
327reference = "https://attack.mitre.org/tactics/TA0002/"
328
329[rule.investigation_fields]
330field_names = [
331    "@timestamp",
332    "user.name",
333    "user.id",
334    "user.domain",
335    "powershell.file.script_block_text",
336    "powershell.file.script_block_id",
337    "powershell.sequence",
338    "powershell.total",
339    "file.path",
340    "file.directory",
341    "file.name",
342    "process.pid",
343    "host.name",
344    "host.id",
345    "powershell.file.script_block_length"
346]