Malicious PowerShell Scripts - PoshModule
Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
Sigma rule (View on GitHub)
1title: Malicious PowerShell Scripts - PoshModule
2id: 41025fd7-0466-4650-a813-574aaacbe7f4
3related:
4 - id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
5 type: similar
6 - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
7 type: obsolete
8status: test
9description: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
10references:
11 - https://github.com/PowerShellMafia/PowerSploit
12 - https://github.com/NetSPI/PowerUpSQL
13 - https://github.com/CsEnox/EventViewer-UACBypass
14 - https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu
15 - https://github.com/nettitude/Invoke-PowerThIEf
16 - https://github.com/S3cur3Th1sSh1t/WinPwn
17 - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
18 - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
19 - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
20 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
21 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
22 - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
23 - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
24 - https://github.com/HarmJ0y/DAMP
25 - https://github.com/samratashok/nishang
26 - https://github.com/DarkCoderSc/PowerRunAsSystem/
27 - https://github.com/besimorhino/powercat
28author: frack113, Nasreddine Bencherchali (Nextron Systems)
29date: 2023-01-23
30modified: 2024-01-25
31tags:
32 - attack.execution
33 - attack.t1059.001
34logsource:
35 product: windows
36 category: ps_module
37 definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
38detection:
39 selection_generic:
40 ContextInfo|contains:
41 - 'Add-ConstrainedDelegationBackdoor.ps1'
42 - 'Add-Exfiltration.ps1'
43 - 'Add-Persistence.ps1'
44 - 'Add-RegBackdoor.ps1'
45 - 'Add-RemoteRegBackdoor.ps1'
46 - 'Add-ScrnSaveBackdoor.ps1'
47 - 'Check-VM.ps1'
48 - 'ConvertTo-ROT13.ps1'
49 - 'Copy-VSS.ps1'
50 - 'Create-MultipleSessions.ps1'
51 - 'DNS_TXT_Pwnage.ps1'
52 - 'dnscat2.ps1'
53 - 'Do-Exfiltration.ps1'
54 - 'DomainPasswordSpray.ps1'
55 - 'Download_Execute.ps1'
56 - 'Download-Execute-PS.ps1'
57 - 'Enabled-DuplicateToken.ps1'
58 - 'Enable-DuplicateToken.ps1'
59 - 'Execute-Command-MSSQL.ps1'
60 - 'Execute-DNSTXT-Code.ps1'
61 - 'Execute-OnTime.ps1'
62 - 'ExetoText.ps1'
63 - 'Exploit-Jboss.ps1'
64 - 'Find-AVSignature.ps1'
65 - 'Find-Fruit.ps1'
66 - 'Find-GPOLocation.ps1'
67 - 'Find-TrustedDocuments.ps1'
68 - 'FireBuster.ps1'
69 - 'FireListener.ps1'
70 - 'Get-ApplicationHost.ps1'
71 - 'Get-ChromeDump.ps1'
72 - 'Get-ClipboardContents.ps1'
73 - 'Get-ComputerDetail.ps1'
74 - 'Get-FoxDump.ps1'
75 - 'Get-GPPAutologon.ps1'
76 - 'Get-GPPPassword.ps1'
77 - 'Get-IndexedItem.ps1'
78 - 'Get-Keystrokes.ps1'
79 - 'Get-LSASecret.ps1'
80 - 'Get-MicrophoneAudio.ps1'
81 - 'Get-PassHashes.ps1'
82 - 'Get-PassHints.ps1'
83 - 'Get-RegAlwaysInstallElevated.ps1'
84 - 'Get-RegAutoLogon.ps1'
85 - 'Get-RickAstley.ps1'
86 - 'Get-Screenshot.ps1'
87 - 'Get-SecurityPackages.ps1'
88 - 'Get-ServiceFilePermission.ps1'
89 - 'Get-ServicePermission.ps1'
90 - 'Get-ServiceUnquoted.ps1'
91 - 'Get-SiteListPassword.ps1'
92 - 'Get-System.ps1'
93 - 'Get-TimedScreenshot.ps1'
94 - 'Get-UnattendedInstallFile.ps1'
95 - 'Get-Unconstrained.ps1'
96 - 'Get-USBKeystrokes.ps1'
97 - 'Get-VaultCredential.ps1'
98 - 'Get-VulnAutoRun.ps1'
99 - 'Get-VulnSchTask.ps1'
100 - 'Get-WebConfig.ps1'
101 - 'Get-WebCredentials.ps1'
102 - 'Get-WLAN-Keys.ps1'
103 - 'Gupt-Backdoor.ps1'
104 - 'HTTP-Backdoor.ps1'
105 - 'HTTP-Login.ps1'
106 - 'Install-ServiceBinary.ps1'
107 - 'Install-SSP.ps1'
108 - 'Invoke-ACLScanner.ps1'
109 - 'Invoke-ADSBackdoor.ps1'
110 - 'Invoke-AmsiBypass.ps1'
111 - 'Invoke-ARPScan.ps1'
112 - 'Invoke-BackdoorLNK.ps1'
113 - 'Invoke-BadPotato.ps1'
114 - 'Invoke-BetterSafetyKatz.ps1'
115 - 'Invoke-BruteForce.ps1'
116 - 'Invoke-BypassUAC.ps1'
117 - 'Invoke-Carbuncle.ps1'
118 - 'Invoke-Certify.ps1'
119 - 'Invoke-ConPtyShell.ps1'
120 - 'Invoke-CredentialInjection.ps1'
121 - 'Invoke-CredentialsPhish.ps1'
122 - 'Invoke-DAFT.ps1'
123 - 'Invoke-DCSync.ps1'
124 - 'Invoke-Decode.ps1'
125 - 'Invoke-DinvokeKatz.ps1'
126 - 'Invoke-DllInjection.ps1'
127 - 'Invoke-DowngradeAccount.ps1'
128 - 'Invoke-EgressCheck.ps1'
129 - 'Invoke-Encode.ps1'
130 - 'Invoke-EventViewer.ps1'
131 - 'Invoke-Eyewitness.ps1'
132 - 'Invoke-FakeLogonScreen.ps1'
133 - 'Invoke-Farmer.ps1'
134 - 'Invoke-Get-RBCD-Threaded.ps1'
135 - 'Invoke-Gopher.ps1'
136 - 'Invoke-Grouper2.ps1'
137 - 'Invoke-Grouper3.ps1'
138 - 'Invoke-HandleKatz.ps1'
139 - 'Invoke-Interceptor.ps1'
140 - 'Invoke-Internalmonologue.ps1'
141 - 'Invoke-Inveigh.ps1'
142 - 'Invoke-InveighRelay.ps1'
143 - 'Invoke-JSRatRegsvr.ps1'
144 - 'Invoke-JSRatRundll.ps1'
145 - 'Invoke-KrbRelay.ps1'
146 - 'Invoke-KrbRelayUp.ps1'
147 - 'Invoke-LdapSignCheck.ps1'
148 - 'Invoke-Lockless.ps1'
149 - 'Invoke-MalSCCM.ps1'
150 - 'Invoke-Mimikatz.ps1'
151 - 'Invoke-MimikatzWDigestDowngrade.ps1'
152 - 'Invoke-Mimikittenz.ps1'
153 - 'Invoke-MITM6.ps1'
154 - 'Invoke-NanoDump.ps1'
155 - 'Invoke-NetRipper.ps1'
156 - 'Invoke-NetworkRelay.ps1'
157 - 'Invoke-NinjaCopy.ps1'
158 - 'Invoke-OxidResolver.ps1'
159 - 'Invoke-P0wnedshell.ps1'
160 - 'Invoke-P0wnedshellx86.ps1'
161 - 'Invoke-Paranoia.ps1'
162 - 'Invoke-PortScan.ps1'
163 - 'Invoke-PoshRatHttp.ps1'
164 - 'Invoke-PoshRatHttps.ps1'
165 - 'Invoke-PostExfil.ps1'
166 - 'Invoke-PowerDump.ps1'
167 - 'Invoke-PowerShellIcmp.ps1'
168 - 'Invoke-PowerShellTCP.ps1'
169 - 'Invoke-PowerShellTcpOneLine.ps1'
170 - 'Invoke-PowerShellTcpOneLineBind.ps1'
171 - 'Invoke-PowerShellUdp.ps1'
172 - 'Invoke-PowerShellUdpOneLine.ps1'
173 - 'Invoke-PowerShellWMI.ps1'
174 - 'Invoke-PowerThIEf.ps1'
175 - 'Invoke-PPLDump.ps1'
176 - 'Invoke-Prasadhak.ps1'
177 - 'Invoke-PsExec.ps1'
178 - 'Invoke-PsGcat.ps1'
179 - 'Invoke-PsGcatAgent.ps1'
180 - 'Invoke-PSInject.ps1'
181 - 'Invoke-PsUaCme.ps1'
182 - 'Invoke-ReflectivePEInjection.ps1'
183 - 'Invoke-ReverseDNSLookup.ps1'
184 - 'Invoke-Rubeus.ps1'
185 - 'Invoke-RunAs.ps1'
186 - 'Invoke-SafetyKatz.ps1'
187 - 'Invoke-SauronEye.ps1'
188 - 'Invoke-SCShell.ps1'
189 - 'Invoke-Seatbelt.ps1'
190 - 'Invoke-ServiceAbuse.ps1'
191 - 'Invoke-SessionGopher.ps1'
192 - 'Invoke-ShellCode.ps1'
193 - 'Invoke-SMBScanner.ps1'
194 - 'Invoke-Snaffler.ps1'
195 - 'Invoke-Spoolsample.ps1'
196 - 'Invoke-SSHCommand.ps1'
197 - 'Invoke-SSIDExfil.ps1'
198 - 'Invoke-StandIn.ps1'
199 - 'Invoke-StickyNotesExtract.ps1'
200 - 'Invoke-Tater.ps1'
201 - 'Invoke-Thunderfox.ps1'
202 - 'Invoke-ThunderStruck.ps1'
203 - 'Invoke-TokenManipulation.ps1'
204 - 'Invoke-Tokenvator.ps1'
205 - 'Invoke-TotalExec.ps1'
206 - 'Invoke-UrbanBishop.ps1'
207 - 'Invoke-UserHunter.ps1'
208 - 'Invoke-VoiceTroll.ps1'
209 - 'Invoke-Whisker.ps1'
210 - 'Invoke-WinEnum.ps1'
211 - 'Invoke-winPEAS.ps1'
212 - 'Invoke-WireTap.ps1'
213 - 'Invoke-WmiCommand.ps1'
214 - 'Invoke-WScriptBypassUAC.ps1'
215 - 'Invoke-Zerologon.ps1'
216 - 'Keylogger.ps1'
217 - 'MailRaider.ps1'
218 - 'New-HoneyHash.ps1'
219 - 'OfficeMemScraper.ps1'
220 - 'Offline_Winpwn.ps1'
221 - 'Out-CHM.ps1'
222 - 'Out-DnsTxt.ps1'
223 - 'Out-Excel.ps1'
224 - 'Out-HTA.ps1'
225 - 'Out-Java.ps1'
226 - 'Out-JS.ps1'
227 - 'Out-Minidump.ps1'
228 - 'Out-RundllCommand.ps1'
229 - 'Out-SCF.ps1'
230 - 'Out-SCT.ps1'
231 - 'Out-Shortcut.ps1'
232 - 'Out-WebQuery.ps1'
233 - 'Out-Word.ps1'
234 - 'Parse_Keys.ps1'
235 - 'Port-Scan.ps1'
236 - 'PowerBreach.ps1'
237 - 'powercat.ps1'
238 - 'PowerRunAsSystem.psm1'
239 - 'PowerSharpPack.ps1'
240 - 'PowerUp.ps1'
241 - 'PowerUpSQL.ps1'
242 - 'PowerView.ps1'
243 - 'PSAsyncShell.ps1'
244 - 'RemoteHashRetrieval.ps1'
245 - 'Remove-Persistence.ps1'
246 - 'Remove-PoshRat.ps1'
247 - 'Remove-Update.ps1'
248 - 'Run-EXEonRemote.ps1'
249 - 'Schtasks-Backdoor.ps1'
250 - 'Set-DCShadowPermissions.ps1'
251 - 'Set-MacAttribute.ps1'
252 - 'Set-RemotePSRemoting.ps1'
253 - 'Set-RemoteWMI.ps1'
254 - 'Set-Wallpaper.ps1'
255 - 'Show-TargetScreen.ps1'
256 - 'Speak.ps1'
257 - 'Start-CaptureServer.ps1'
258 - 'Start-WebcamRecorder.ps1'
259 - 'StringToBase64.ps1'
260 - 'TexttoExe.ps1'
261 - 'VolumeShadowCopyTools.ps1'
262 - 'WinPwn.ps1'
263 - 'WSUSpendu.ps1'
264 selection_invoke_sharp:
265 ContextInfo|contains|all:
266 - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
267 - '.ps1'
268 condition: 1 of selection_*
269falsepositives:
270 - Unknown
271level: high
References
-
-
-
🍊 Orange Tsai EventViewer RCE . Contribute to CsEnox/EventViewer-UACBypass development by creating an account on GitHub.
Read More -
Implement WSUSpendu attack. Contribute to AlsidOfficial/WSUSpendu development by creating an account on GitHub.
Read More -
GitHub - nettitude/Invoke-PowerThIEf: The PowerThIEf, an Internet Explorer Post Exploitation library
The PowerThIEf, an Internet Explorer Post Exploitation library - nettitude/Invoke-PowerThIEf
Read More -
-
-
Invoke-ZeroLogon allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf. - BC-SECURITY/Invoke-ZeroLogon
Read More -
-
Random Tools. Contribute to rvrsh3ll/Misc-Powershell-Scripts development by creating an account on GitHub.
Read More -
DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. BE VERY CAR...
Read More -
Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threaten to post sensitive information if an organization chooses not to pay ransom.
Read More -
This research was conducted by Ross Inman (@rdi_x64) and Peter Gurney from NCC Group Cyber Incident Response Team. You can find more here Incident Response – NCC Group Summary tl;dr This blog post ...
Read More -
The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification - HarmJ0y/DAMP
Read More -
Nishang - Offensive PowerShell for red team, penetration testing and offensive security. - GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offens...
Read More -
PowerRunAsSystem is a PowerShell script, also available as an installable module through the PowerShell Gallery, designed to impersonate the NT AUTHORITY/SYSTEM user and execute commands or launch ...
Read More -
netshell features all in version 2 powershell. Contribute to besimorhino/powercat development by creating an account on GitHub.
Read More
Related rules
- Malicious PowerShell Scripts - FileCreation
- ChromeLoader Malware Execution
- Obfuscated PowerShell OneLiner Execution
- Raspberry Robin Initial Execution From External Drive
- Raspberry Robin Subsequent Execution of Commands