Malicious PowerShell Commandlets - PoshModule

  1title: Malicious PowerShell Commandlets - PoshModule
  2id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
  3related:
  4    - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
  5      type: similar
  6    - id: 02030f2f-6199-49ec-b258-ea71b07e03dc
  7      type: similar
  8status: test
  9description: Detects Commandlet names from well-known PowerShell exploitation frameworks
 10references:
 11    - https://adsecurity.org/?p=2921
 12    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
 13    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
 14    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
 15    - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
 16    - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
 17    - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
 18    - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
 19    - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
 20    - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
 21    - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
 22    - https://github.com/HarmJ0y/DAMP
 23    - https://github.com/samratashok/nishang
 24    - https://github.com/DarkCoderSc/PowerRunAsSystem/
 25    - https://github.com/besimorhino/powercat
 26    - https://github.com/Kevin-Robertson/Powermad
 27    - https://github.com/adrecon/ADRecon
 28    - https://github.com/adrecon/AzureADRecon
 29author: Nasreddine Bencherchali (Nextron Systems)
 30date: 2023/01/20
 31modified: 2024/01/25
 32tags:
 33    - attack.execution
 34    - attack.discovery
 35    - attack.t1482
 36    - attack.t1087
 37    - attack.t1087.001
 38    - attack.t1087.002
 39    - attack.t1069.001
 40    - attack.t1069.002
 41    - attack.t1069
 42    - attack.t1059.001
 43logsource:
 44    product: windows
 45    category: ps_module
 46    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
 47detection:
 48    selection:
 49        Payload|contains:
 50            # Note: Please ensure alphabetical order when adding new entries
 51            - 'Add-Exfiltration'
 52            - 'Add-Persistence'
 53            - 'Add-RegBackdoor'
 54            - 'Add-RemoteRegBackdoor'
 55            - 'Add-ScrnSaveBackdoor'
 56            - 'Check-VM'
 57            - 'ConvertTo-Rc4ByteStream'
 58            - 'Decrypt-Hash'
 59            - 'Disable-ADIDNSNode'
 60            - 'Disable-MachineAccount'
 61            - 'Do-Exfiltration'
 62            - 'Enable-ADIDNSNode'
 63            - 'Enable-MachineAccount'
 64            - 'Enabled-DuplicateToken'
 65            - 'Exploit-Jboss'
 66            - 'Export-ADR' # # ADRecon related cmdlets
 67            - 'Export-ADRCSV' # # ADRecon related cmdlets
 68            - 'Export-ADRExcel' # # ADRecon related cmdlets
 69            - 'Export-ADRHTML' # # ADRecon related cmdlets
 70            - 'Export-ADRJSON' # # ADRecon related cmdlets
 71            - 'Export-ADRXML' # # ADRecon related cmdlets
 72            - 'Find-Fruit'
 73            - 'Find-GPOLocation'
 74            - 'Find-TrustedDocuments'
 75            - 'Get-ADIDNS' # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone
 76            - 'Get-ApplicationHost'
 77            - 'Get-ChromeDump'
 78            - 'Get-ClipboardContents'
 79            - 'Get-FoxDump'
 80            - 'Get-GPPPassword'
 81            - 'Get-IndexedItem'
 82            - 'Get-KerberosAESKey'
 83            - 'Get-Keystrokes'
 84            - 'Get-LSASecret'
 85            - 'Get-MachineAccountAttribute'
 86            - 'Get-MachineAccountCreator'
 87            - 'Get-PassHashes'
 88            - 'Get-RegAlwaysInstallElevated'
 89            - 'Get-RegAutoLogon'
 90            - 'Get-RemoteBootKey'
 91            - 'Get-RemoteCachedCredential'
 92            - 'Get-RemoteLocalAccountHash'
 93            - 'Get-RemoteLSAKey'
 94            - 'Get-RemoteMachineAccountHash'
 95            - 'Get-RemoteNLKMKey'
 96            - 'Get-RickAstley'
 97            - 'Get-Screenshot'
 98            - 'Get-SecurityPackages'
 99            - 'Get-ServiceFilePermission'
100            - 'Get-ServicePermission'
101            - 'Get-ServiceUnquoted'
102            - 'Get-SiteListPassword'
103            - 'Get-System'
104            - 'Get-TimedScreenshot'
105            - 'Get-UnattendedInstallFile'
106            - 'Get-Unconstrained'
107            - 'Get-USBKeystrokes'
108            - 'Get-VaultCredential'
109            - 'Get-VulnAutoRun'
110            - 'Get-VulnSchTask'
111            - 'Grant-ADIDNSPermission'
112            - 'Gupt-Backdoor'
113            - 'HTTP-Login'
114            - 'Install-ServiceBinary'
115            - 'Install-SSP'
116            - 'Invoke-ACLScanner'
117            - 'Invoke-ADRecon' # # ADRecon related cmdlets
118            - 'Invoke-ADSBackdoor'
119            - 'Invoke-AgentSmith'
120            - 'Invoke-AllChecks'
121            - 'Invoke-ARPScan'
122            - 'Invoke-AzureHound'
123            - 'Invoke-BackdoorLNK'
124            - 'Invoke-BadPotato'
125            - 'Invoke-BetterSafetyKatz'
126            - 'Invoke-BypassUAC'
127            - 'Invoke-Carbuncle'
128            - 'Invoke-Certify'
129            - 'Invoke-ConPtyShell'
130            - 'Invoke-CredentialInjection'
131            - 'Invoke-DAFT'
132            - 'Invoke-DCSync'
133            - 'Invoke-DinvokeKatz'
134            - 'Invoke-DllInjection'
135            - 'Invoke-DNSUpdate'
136            - 'Invoke-DomainPasswordSpray'
137            - 'Invoke-DowngradeAccount'
138            - 'Invoke-EgressCheck'
139            - 'Invoke-Eyewitness'
140            - 'Invoke-FakeLogonScreen'
141            - 'Invoke-Farmer'
142            - 'Invoke-Get-RBCD-Threaded'
143            - 'Invoke-Gopher'
144            - 'Invoke-Grouper' # Also Covers Invoke-GrouperX
145            - 'Invoke-HandleKatz'
146            - 'Invoke-ImpersonatedProcess'
147            - 'Invoke-ImpersonateSystem'
148            - 'Invoke-InteractiveSystemPowerShell'
149            - 'Invoke-Internalmonologue'
150            - 'Invoke-Inveigh'
151            - 'Invoke-InveighRelay'
152            - 'Invoke-KrbRelay'
153            - 'Invoke-LdapSignCheck'
154            - 'Invoke-Lockless'
155            - 'Invoke-MalSCCM'
156            - 'Invoke-Mimikatz'
157            - 'Invoke-Mimikittenz'
158            - 'Invoke-MITM6'
159            - 'Invoke-NanoDump'
160            - 'Invoke-NetRipper'
161            - 'Invoke-Nightmare'
162            - 'Invoke-NinjaCopy'
163            - 'Invoke-OfficeScrape'
164            - 'Invoke-OxidResolver'
165            - 'Invoke-P0wnedshell'
166            - 'Invoke-Paranoia'
167            - 'Invoke-PortScan'
168            - 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
169            - 'Invoke-PostExfil'
170            - 'Invoke-PowerDump'
171            - 'Invoke-PowerShellTCP'
172            - 'Invoke-PowerShellWMI'
173            - 'Invoke-PPLDump'
174            - 'Invoke-PsExec'
175            - 'Invoke-PSInject'
176            - 'Invoke-PsUaCme'
177            - 'Invoke-ReflectivePEInjection'
178            - 'Invoke-ReverseDNSLookup'
179            - 'Invoke-Rubeus'
180            - 'Invoke-RunAs'
181            - 'Invoke-SafetyKatz'
182            - 'Invoke-SauronEye'
183            - 'Invoke-SCShell'
184            - 'Invoke-Seatbelt'
185            - 'Invoke-ServiceAbuse'
186            - 'Invoke-ShadowSpray'
187            - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
188            - 'Invoke-Shellcode'
189            - 'Invoke-SMBScanner'
190            - 'Invoke-Snaffler'
191            - 'Invoke-Spoolsample'
192            - 'Invoke-SpraySinglePassword'
193            - 'Invoke-SSHCommand'
194            - 'Invoke-StandIn'
195            - 'Invoke-StickyNotesExtract'
196            - 'Invoke-SystemCommand'
197            - 'Invoke-Tasksbackdoor'
198            - 'Invoke-Tater'
199            - 'Invoke-Thunderfox'
200            - 'Invoke-ThunderStruck'
201            - 'Invoke-TokenManipulation'
202            - 'Invoke-Tokenvator'
203            - 'Invoke-TotalExec'
204            - 'Invoke-UrbanBishop'
205            - 'Invoke-UserHunter'
206            - 'Invoke-VoiceTroll'
207            - 'Invoke-Whisker'
208            - 'Invoke-WinEnum'
209            - 'Invoke-winPEAS'
210            - 'Invoke-WireTap'
211            - 'Invoke-WmiCommand'
212            - 'Invoke-WMIExec'
213            - 'Invoke-WScriptBypassUAC'
214            - 'Invoke-Zerologon'
215            - 'MailRaider'
216            - 'New-ADIDNSNode'
217            - 'New-DNSRecordArray'
218            - 'New-HoneyHash'
219            - 'New-InMemoryModule'
220            - 'New-MachineAccount'
221            - 'New-SOASerialNumberArray'
222            - 'Out-Minidump'
223            - 'Port-Scan'
224            - 'PowerBreach'
225            - 'powercat '
226            - 'PowerUp'
227            - 'PowerView'
228            - 'Remove-ADIDNSNode'
229            - 'Remove-MachineAccount'
230            - 'Remove-Update'
231            - 'Rename-ADIDNSNode'
232            - 'Revoke-ADIDNSPermission'
233            - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
234            - 'Set-MacAttribute'
235            - 'Set-MachineAccountAttribute'
236            - 'Set-Wallpaper'
237            - 'Show-TargetScreen'
238            - 'Start-CaptureServer'
239            - 'Start-Dnscat2'
240            - 'Start-WebcamRecorder'
241            - 'VolumeShadowCopyTools'
242    condition: selection
243falsepositives:
244    - Unknown
245level: high

References

• » PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection » Active Directory Security

  

  This post is a follow-up of sorts from my earlier posts on PowerShell, my PowerShell presentation at BSides Baltimore, and my presentation at DEF CON 24. Hopefully this post provides current inform...

  
  Read More

• PowerSharpPack/PowerSharpBinaries at master · S3cur3Th1sSh1t/PowerSharpPack

  

  Contribute to S3cur3Th1sSh1t/PowerSharpPack development by creating an account on GitHub.

  
  Read More

• Invoke-ZeroLogon/Invoke-ZeroLogon.ps1 at 111d17c7fec486d9bb23387e2e828b09a26075e4 · BC-SECURITY/Invoke-ZeroLogon

  

  Invoke-ZeroLogon allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf. - BC-SECURITY/Invoke-ZeroLogon

  
  Read More

• RandomPS-Scripts/Get-DXWebcamVideo.ps1 at 848c919bfce4e2d67b626cbcf4404341cfe3d3b6 · xorrior/RandomPS-Scripts

  

  PowerShell Scripts focused on Post-Exploitation Capabilities - xorrior/RandomPS-Scripts

  
  Read More

• Misc-Powershell-Scripts/OfficeMemScraper.ps1 at 6f23bb41f9675d7e2d32bacccff75e931ae00554 · rvrsh3ll/Misc-Powershell-Scripts

  

  Random Tools. Contribute to rvrsh3ll/Misc-Powershell-Scripts development by creating an account on GitHub.

  
  Read More

• DomainPasswordSpray/DomainPasswordSpray.ps1 at b13d64a5834694aa73fd2aea9911a83027c465a7 · dafthack/DomainPasswordSpray

  

  DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. BE VERY CAR...

  
  Read More

• Threat Assessment: Black Basta Ransomware

  

  Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threaten to post sensitive information if an organization chooses not to pay ransom.

  
  Read More

• Shining the Light on Black Basta

  

  This blog post documents some of the TTPs employed by a threat actor group who were observed deploying Black Basta ransomware during a recent incident response engagement, as well as a breakdown of…

  
  Read More

• GitHub - calebstewart/CVE-2021-1675: Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare)

  

  Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare) - calebstewart/CVE-2021-1675

  
  Read More

• BloodHound/Collectors/AzureHound.ps1 at 0927441f67161cc6dc08a53c63ceb8e333f55874 · BloodHoundAD/BloodHound

  

  Six Degrees of Domain Admin. Contribute to BloodHoundAD/BloodHound development by creating an account on GitHub.

  
  Read More

• AzureHound — BloodHound 4.3.1 documentation

  AzureHound AzureHound is a Go binary that collects data from AzureAD and AzureRM via the MS Graph and Azure REST APIs. It does not use any external dependencies and will run on any operating system...

  
  Read More

• GitHub - HarmJ0y/DAMP: The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification

  

  The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification - HarmJ0y/DAMP

  
  Read More

• GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offensive security.

  

  Nishang - Offensive PowerShell for red team, penetration testing and offensive security. - GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offens...

  
  Read More

• GitHub - PhrozenIO/PowerRunAsSystem: Run application as system with interactive system process support (active Windows session)

  

  Run application as system with interactive system process support (active Windows session) - PhrozenIO/PowerRunAsSystem

  
  Read More

• GitHub - besimorhino/powercat: netshell features all in version 2 powershell

  

  netshell features all in version 2 powershell. Contribute to besimorhino/powercat development by creating an account on GitHub.

  
  Read More

• GitHub - Kevin-Robertson/Powermad: PowerShell MachineAccountQuota and DNS exploit tools

  

  PowerShell MachineAccountQuota and DNS exploit tools - Kevin-Robertson/Powermad

  
  Read More

• GitHub - adrecon/ADRecon: ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.

  

  ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment. - GitHub - adr...

  
  Read More

• GitHub - adrecon/AzureADRecon: AzureADRecon is a tool which gathers information about the Azure Active Directory and generates a report which can provide a holistic picture of the current state of the target environment.

  

  AzureADRecon is a tool which gathers information about the Azure Active Directory and generates a report which can provide a holistic picture of the current state of the target environment. - adrec...

  
  Read More

Related rules

• Malicious PowerShell Commandlets - ProcessCreation
• Malicious PowerShell Commandlets - ScriptBlock
• HackTool - Bloodhound/Sharphound Execution
• PUA - AdFind Suspicious Execution
• Potential Active Directory Reconnaissance/Enumeration Via LDAP