Malicious PowerShell Commandlets - PoshModule
Detects Commandlet names from well-known PowerShell exploitation frameworks
Sigma rule (View on GitHub)
1title: Malicious PowerShell Commandlets - PoshModule
2id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
3related:
4 - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
5 type: similar
6 - id: 02030f2f-6199-49ec-b258-ea71b07e03dc
7 type: similar
8status: test
9description: Detects Commandlet names from well-known PowerShell exploitation frameworks
10references:
11 - https://adsecurity.org/?p=2921
12 - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
13 - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
14 - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
15 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
16 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
17 - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
18 - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
19 - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
20 - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
21 - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
22 - https://github.com/HarmJ0y/DAMP
23 - https://github.com/samratashok/nishang
24 - https://github.com/DarkCoderSc/PowerRunAsSystem/
25 - https://github.com/besimorhino/powercat
26 - https://github.com/Kevin-Robertson/Powermad
27 - https://github.com/adrecon/ADRecon
28 - https://github.com/adrecon/AzureADRecon
29 - https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
30author: Nasreddine Bencherchali (Nextron Systems)
31date: 2023-01-20
32modified: 2025-02-25
33tags:
34 - attack.execution
35 - attack.discovery
36 - attack.t1482
37 - attack.t1087
38 - attack.t1087.001
39 - attack.t1087.002
40 - attack.t1069.001
41 - attack.t1069.002
42 - attack.t1069
43 - attack.t1059.001
44logsource:
45 product: windows
46 category: ps_module
47 definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
48detection:
49 selection:
50 Payload|contains:
51 # Note: Please ensure alphabetical order when adding new entries
52 - 'Add-Exfiltration'
53 - 'Add-Persistence'
54 - 'Add-RegBackdoor'
55 - 'Add-RemoteRegBackdoor'
56 - 'Add-ScrnSaveBackdoor'
57 - 'Check-VM'
58 - 'ConvertTo-Rc4ByteStream'
59 - 'Decrypt-Hash'
60 - 'Disable-ADIDNSNode'
61 - 'Disable-MachineAccount'
62 - 'Do-Exfiltration'
63 - 'Enable-ADIDNSNode'
64 - 'Enable-MachineAccount'
65 - 'Enabled-DuplicateToken'
66 - 'Exploit-Jboss'
67 - 'Export-ADR' # # ADRecon related cmdlets
68 - 'Export-ADRCSV' # # ADRecon related cmdlets
69 - 'Export-ADRExcel' # # ADRecon related cmdlets
70 - 'Export-ADRHTML' # # ADRecon related cmdlets
71 - 'Export-ADRJSON' # # ADRecon related cmdlets
72 - 'Export-ADRXML' # # ADRecon related cmdlets
73 - 'Find-Fruit'
74 - 'Find-GPOLocation'
75 - 'Find-TrustedDocuments'
76 - 'Get-ADIDNS' # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone
77 - 'Get-ApplicationHost'
78 - 'Get-ChromeDump'
79 - 'Get-ClipboardContents'
80 - 'Get-FoxDump'
81 - 'Get-GPPPassword'
82 - 'Get-IndexedItem'
83 - 'Get-KerberosAESKey'
84 - 'Get-Keystrokes'
85 - 'Get-LSASecret'
86 - 'Get-MachineAccountAttribute'
87 - 'Get-MachineAccountCreator'
88 - 'Get-PassHashes'
89 - 'Get-RegAlwaysInstallElevated'
90 - 'Get-RegAutoLogon'
91 - 'Get-RemoteBootKey'
92 - 'Get-RemoteCachedCredential'
93 - 'Get-RemoteLocalAccountHash'
94 - 'Get-RemoteLSAKey'
95 - 'Get-RemoteMachineAccountHash'
96 - 'Get-RemoteNLKMKey'
97 - 'Get-RickAstley'
98 - 'Get-Screenshot'
99 - 'Get-SecurityPackages'
100 - 'Get-ServiceFilePermission'
101 - 'Get-ServicePermission'
102 - 'Get-ServiceUnquoted'
103 - 'Get-SiteListPassword'
104 - 'Get-System'
105 - 'Get-TimedScreenshot'
106 - 'Get-UnattendedInstallFile'
107 - 'Get-Unconstrained'
108 - 'Get-USBKeystrokes'
109 - 'Get-VaultCredential'
110 - 'Get-VulnAutoRun'
111 - 'Get-VulnSchTask'
112 - 'Grant-ADIDNSPermission'
113 - 'Gupt-Backdoor'
114 - 'HTTP-Login'
115 - 'Install-ServiceBinary'
116 - 'Install-SSP'
117 - 'Invoke-ACLScanner'
118 - 'Invoke-ADRecon' # # ADRecon related cmdlets
119 - 'Invoke-ADSBackdoor'
120 - 'Invoke-AgentSmith'
121 - 'Invoke-AllChecks'
122 - 'Invoke-ARPScan'
123 - 'Invoke-AzureHound'
124 - 'Invoke-BackdoorLNK'
125 - 'Invoke-BadPotato'
126 - 'Invoke-BetterSafetyKatz'
127 - 'Invoke-BypassUAC'
128 - 'Invoke-Carbuncle'
129 - 'Invoke-Certify'
130 - 'Invoke-ConPtyShell'
131 - 'Invoke-CredentialInjection'
132 - 'Invoke-DAFT'
133 - 'Invoke-DCSync'
134 - 'Invoke-DinvokeKatz'
135 - 'Invoke-DllInjection'
136 - 'Invoke-DNSUpdate'
137 - 'Invoke-DomainPasswordSpray'
138 - 'Invoke-DowngradeAccount'
139 - 'Invoke-EgressCheck'
140 - 'Invoke-Eyewitness'
141 - 'Invoke-FakeLogonScreen'
142 - 'Invoke-Farmer'
143 - 'Invoke-Get-RBCD-Threaded'
144 - 'Invoke-Gopher'
145 - 'Invoke-Grouper' # Also Covers Invoke-GrouperX
146 - 'Invoke-HandleKatz'
147 - 'Invoke-ImpersonatedProcess'
148 - 'Invoke-ImpersonateSystem'
149 - 'Invoke-InteractiveSystemPowerShell'
150 - 'Invoke-Internalmonologue'
151 - 'Invoke-Inveigh'
152 - 'Invoke-InveighRelay'
153 - 'Invoke-KrbRelay'
154 - 'Invoke-LdapSignCheck'
155 - 'Invoke-Lockless'
156 - 'Invoke-MalSCCM'
157 - 'Invoke-Mimikatz'
158 - 'Invoke-Mimikittenz'
159 - 'Invoke-MITM6'
160 - 'Invoke-NanoDump'
161 - 'Invoke-NetRipper'
162 - 'Invoke-Nightmare'
163 - 'Invoke-NinjaCopy'
164 - 'Invoke-OfficeScrape'
165 - 'Invoke-OxidResolver'
166 - 'Invoke-P0wnedshell'
167 - 'Invoke-Paranoia'
168 - 'Invoke-PortScan'
169 - 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
170 - 'Invoke-PostExfil'
171 - 'Invoke-PowerDump'
172 - 'Invoke-PowerShellTCP'
173 - 'Invoke-PowerShellWMI'
174 - 'Invoke-PPLDump'
175 - 'Invoke-PsExec'
176 - 'Invoke-PSInject'
177 - 'Invoke-PsUaCme'
178 - 'Invoke-ReflectivePEInjection'
179 - 'Invoke-ReverseDNSLookup'
180 - 'Invoke-Rubeus'
181 - 'Invoke-RunAs'
182 - 'Invoke-SafetyKatz'
183 - 'Invoke-SauronEye'
184 - 'Invoke-SCShell'
185 - 'Invoke-Seatbelt'
186 - 'Invoke-ServiceAbuse'
187 - 'Invoke-ShadowSpray'
188 - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
189 - 'Invoke-Shellcode'
190 - 'Invoke-SMBScanner'
191 - 'Invoke-Snaffler'
192 - 'Invoke-Spoolsample'
193 - 'Invoke-SpraySinglePassword'
194 - 'Invoke-SSHCommand'
195 - 'Invoke-StandIn'
196 - 'Invoke-StickyNotesExtract'
197 - 'Invoke-SystemCommand'
198 - 'Invoke-Tasksbackdoor'
199 - 'Invoke-Tater'
200 - 'Invoke-Thunderfox'
201 - 'Invoke-ThunderStruck'
202 - 'Invoke-TokenManipulation'
203 - 'Invoke-Tokenvator'
204 - 'Invoke-TotalExec'
205 - 'Invoke-UrbanBishop'
206 - 'Invoke-UserHunter'
207 - 'Invoke-VoiceTroll'
208 - 'Invoke-Whisker'
209 - 'Invoke-WinEnum'
210 - 'Invoke-winPEAS'
211 - 'Invoke-WireTap'
212 - 'Invoke-WmiCommand'
213 - 'Invoke-WMIExec'
214 - 'Invoke-WScriptBypassUAC'
215 - 'Invoke-Zerologon'
216 - 'MailRaider'
217 - 'New-ADIDNSNode'
218 - 'New-DNSRecordArray'
219 - 'New-HoneyHash'
220 - 'New-InMemoryModule'
221 - 'New-MachineAccount'
222 - 'New-SOASerialNumberArray'
223 - 'Out-Minidump'
224 - 'Port-Scan'
225 - 'PowerBreach'
226 - 'powercat '
227 - 'PowerUp'
228 - 'PowerView'
229 - 'Remove-ADIDNSNode'
230 - 'Remove-MachineAccount'
231 - 'Remove-Update'
232 - 'Rename-ADIDNSNode'
233 - 'Revoke-ADIDNSPermission'
234 - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
235 - 'Set-MacAttribute'
236 - 'Set-MachineAccountAttribute'
237 - 'Set-Wallpaper'
238 - 'Show-TargetScreen'
239 - 'Start-CaptureServer'
240 - 'Start-Dnscat2'
241 - 'Start-WebcamRecorder'
242 - 'Veeam-Get-Creds'
243 - 'VolumeShadowCopyTools'
244 condition: selection
245falsepositives:
246 - Unknown
247level: high
References
-
This post is a follow-up of sorts from my earlier posts on PowerShell, my PowerShell presentation at BSides Baltimore, and my presentation at DEF CON 24. Hopefully this post provides current inform...
Read More -
-
Invoke-ZeroLogon allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf. - BC-SECURITY/Invoke-ZeroLogon
Read More -
-
Random Tools. Contribute to rvrsh3ll/Misc-Powershell-Scripts development by creating an account on GitHub.
Read More -
DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. BE VERY CAR...
Read More -
Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threaten to post sensitive information if an organization chooses not to pay ransom.
Read More -
This research was conducted by Ross Inman (@rdi_x64) and Peter Gurney from NCC Group Cyber Incident Response Team. You can find more here Incident Response – NCC Group Summary tl;dr This blog post ...
Read More -
Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare) - calebstewart/CVE-2021-1675
Read More -
Six Degrees of Domain Admin. Contribute to SpecterOps/BloodHound-Legacy development by creating an account on GitHub.
Read More -
AzureHound AzureHound is a Go binary that collects data from AzureAD and AzureRM via the MS Graph and Azure REST APIs. It does not use any external dependencies and will run on any operating system...
Read More -
The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification - HarmJ0y/DAMP
Read More -
Nishang - Offensive PowerShell for red team, penetration testing and offensive security. - GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offens...
Read More -
PowerRunAsSystem is a PowerShell script, also available as an installable module through the PowerShell Gallery, designed to impersonate the NT AUTHORITY/SYSTEM user and execute commands or launch ...
Read More -
netshell features all in version 2 powershell. Contribute to besimorhino/powercat development by creating an account on GitHub.
Read More -
-
ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment. - GitHub - adr...
Read More -
AzureADRecon is a tool which gathers information about the Azure Active Directory and generates a report which can provide a holistic picture of the current state of the target environment. - adrec...
Read More -
Collection of scripts to retrieve stored passwords from Veeam Backup - sadshade/veeam-creds
Read More
Related rules
- Malicious PowerShell Commandlets - ProcessCreation
- Malicious PowerShell Commandlets - ScriptBlock
- BloodHound Collection Files
- HackTool - Bloodhound/Sharphound Execution
- Renamed AdFind Execution