Malicious PowerShell Commandlets - ScriptBlock
Detects Commandlet names from well-known PowerShell exploitation frameworks
Sigma rule (View on GitHub)
1title: Malicious PowerShell Commandlets - ScriptBlock
2id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
3related:
4 - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
5 type: similar
6 - id: 02030f2f-6199-49ec-b258-ea71b07e03dc
7 type: similar
8 - id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
9 type: obsolete
10 - id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
11 type: obsolete
12status: test
13description: Detects Commandlet names from well-known PowerShell exploitation frameworks
14references:
15 - https://adsecurity.org/?p=2921
16 - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
17 - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
18 - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
19 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
20 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
21 - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
22 - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
23 - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
24 - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
25 - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
26 - https://github.com/HarmJ0y/DAMP
27 - https://github.com/samratashok/nishang
28 - https://github.com/DarkCoderSc/PowerRunAsSystem/
29 - https://github.com/besimorhino/powercat
30 - https://github.com/Kevin-Robertson/Powermad
31 - https://github.com/adrecon/ADRecon
32 - https://github.com/adrecon/AzureADRecon
33author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
34date: 2017-03-05
35modified: 2024-01-25
36tags:
37 - attack.execution
38 - attack.discovery
39 - attack.t1482
40 - attack.t1087
41 - attack.t1087.001
42 - attack.t1087.002
43 - attack.t1069.001
44 - attack.t1069.002
45 - attack.t1069
46 - attack.t1059.001
47logsource:
48 product: windows
49 category: ps_script
50 definition: 'Requirements: Script Block Logging must be enabled'
51detection:
52 selection:
53 ScriptBlockText|contains:
54 # Note: Please ensure alphabetical order when adding new entries
55 - 'Add-Exfiltration'
56 - 'Add-Persistence'
57 - 'Add-RegBackdoor'
58 - 'Add-RemoteRegBackdoor'
59 - 'Add-ScrnSaveBackdoor'
60 - 'ConvertTo-Rc4ByteStream'
61 - 'Decrypt-Hash'
62 - 'Disable-ADIDNSNode'
63 - 'Do-Exfiltration'
64 - 'Enable-ADIDNSNode'
65 - 'Enabled-DuplicateToken'
66 - 'Exploit-Jboss'
67 - 'Export-ADRCSV'
68 - 'Export-ADRExcel'
69 - 'Export-ADRHTML'
70 - 'Export-ADRJSON'
71 - 'Export-ADRXML'
72 - 'Find-Fruit'
73 - 'Find-GPOLocation'
74 - 'Find-TrustedDocuments'
75 - 'Get-ADIDNSNodeAttribute'
76 - 'Get-ADIDNSNodeOwner'
77 - 'Get-ADIDNSNodeTombstoned'
78 - 'Get-ADIDNSPermission'
79 - 'Get-ADIDNSZone'
80 - 'Get-ChromeDump'
81 - 'Get-ClipboardContents'
82 - 'Get-FoxDump'
83 - 'Get-GPPPassword'
84 - 'Get-IndexedItem'
85 - 'Get-KerberosAESKey'
86 - 'Get-Keystrokes'
87 - 'Get-LSASecret'
88 - 'Get-PassHashes'
89 - 'Get-RegAlwaysInstallElevated'
90 - 'Get-RegAutoLogon'
91 - 'Get-RemoteBootKey'
92 - 'Get-RemoteCachedCredential'
93 - 'Get-RemoteLocalAccountHash'
94 - 'Get-RemoteLSAKey'
95 - 'Get-RemoteMachineAccountHash'
96 - 'Get-RemoteNLKMKey'
97 - 'Get-RickAstley'
98 - 'Get-SecurityPackages'
99 - 'Get-ServiceFilePermission'
100 - 'Get-ServicePermission'
101 - 'Get-ServiceUnquoted'
102 - 'Get-SiteListPassword'
103 - 'Get-System'
104 - 'Get-TimedScreenshot'
105 - 'Get-UnattendedInstallFile'
106 - 'Get-Unconstrained'
107 - 'Get-USBKeystrokes'
108 - 'Get-VaultCredential'
109 - 'Get-VulnAutoRun'
110 - 'Get-VulnSchTask'
111 - 'Grant-ADIDNSPermission'
112 - 'Gupt-Backdoor'
113 - 'Invoke-ACLScanner'
114 - 'Invoke-ADRecon'
115 - 'Invoke-ADSBackdoor'
116 - 'Invoke-AgentSmith'
117 - 'Invoke-AllChecks'
118 - 'Invoke-ARPScan'
119 - 'Invoke-AzureHound'
120 - 'Invoke-BackdoorLNK'
121 - 'Invoke-BadPotato'
122 - 'Invoke-BetterSafetyKatz'
123 - 'Invoke-BypassUAC'
124 - 'Invoke-Carbuncle'
125 - 'Invoke-Certify'
126 - 'Invoke-ConPtyShell'
127 - 'Invoke-CredentialInjection'
128 - 'Invoke-DAFT'
129 - 'Invoke-DCSync'
130 - 'Invoke-DinvokeKatz'
131 - 'Invoke-DllInjection'
132 - 'Invoke-DNSUpdate'
133 - 'Invoke-DomainPasswordSpray'
134 - 'Invoke-DowngradeAccount'
135 - 'Invoke-EgressCheck'
136 - 'Invoke-Eyewitness'
137 - 'Invoke-FakeLogonScreen'
138 - 'Invoke-Farmer'
139 - 'Invoke-Get-RBCD-Threaded'
140 - 'Invoke-Gopher'
141 - 'Invoke-Grouper' # Also Covers Invoke-GrouperX
142 - 'Invoke-HandleKatz'
143 - 'Invoke-ImpersonatedProcess'
144 - 'Invoke-ImpersonateSystem'
145 - 'Invoke-InteractiveSystemPowerShell'
146 - 'Invoke-Internalmonologue'
147 - 'Invoke-Inveigh'
148 - 'Invoke-InveighRelay'
149 - 'Invoke-KrbRelay'
150 - 'Invoke-LdapSignCheck'
151 - 'Invoke-Lockless'
152 - 'Invoke-MalSCCM'
153 - 'Invoke-Mimikatz'
154 - 'Invoke-Mimikittenz'
155 - 'Invoke-MITM6'
156 - 'Invoke-NanoDump'
157 - 'Invoke-NetRipper'
158 - 'Invoke-Nightmare'
159 - 'Invoke-NinjaCopy'
160 - 'Invoke-OfficeScrape'
161 - 'Invoke-OxidResolver'
162 - 'Invoke-P0wnedshell'
163 - 'Invoke-Paranoia'
164 - 'Invoke-PortScan'
165 - 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
166 - 'Invoke-PostExfil'
167 - 'Invoke-PowerDump'
168 - 'Invoke-PowerShellTCP'
169 - 'Invoke-PowerShellWMI'
170 - 'Invoke-PPLDump'
171 - 'Invoke-PsExec'
172 - 'Invoke-PSInject'
173 - 'Invoke-PsUaCme'
174 - 'Invoke-ReflectivePEInjection'
175 - 'Invoke-ReverseDNSLookup'
176 - 'Invoke-Rubeus'
177 - 'Invoke-RunAs'
178 - 'Invoke-SafetyKatz'
179 - 'Invoke-SauronEye'
180 - 'Invoke-SCShell'
181 - 'Invoke-Seatbelt'
182 - 'Invoke-ServiceAbuse'
183 - 'Invoke-ShadowSpray'
184 - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
185 - 'Invoke-Shellcode'
186 - 'Invoke-SMBScanner'
187 - 'Invoke-Snaffler'
188 - 'Invoke-Spoolsample'
189 - 'Invoke-SpraySinglePassword'
190 - 'Invoke-SSHCommand'
191 - 'Invoke-StandIn'
192 - 'Invoke-StickyNotesExtract'
193 - 'Invoke-SystemCommand'
194 - 'Invoke-Tasksbackdoor'
195 - 'Invoke-Tater'
196 - 'Invoke-Thunderfox'
197 - 'Invoke-ThunderStruck'
198 - 'Invoke-TokenManipulation'
199 - 'Invoke-Tokenvator'
200 - 'Invoke-TotalExec'
201 - 'Invoke-UrbanBishop'
202 - 'Invoke-UserHunter'
203 - 'Invoke-VoiceTroll'
204 - 'Invoke-Whisker'
205 - 'Invoke-WinEnum'
206 - 'Invoke-winPEAS'
207 - 'Invoke-WireTap'
208 - 'Invoke-WmiCommand'
209 - 'Invoke-WMIExec'
210 - 'Invoke-WScriptBypassUAC'
211 - 'Invoke-Zerologon'
212 - 'MailRaider'
213 - 'New-ADIDNSNode'
214 - 'New-HoneyHash'
215 - 'New-InMemoryModule'
216 - 'New-SOASerialNumberArray'
217 - 'Out-Minidump'
218 - 'PowerBreach'
219 - 'powercat '
220 - 'PowerUp'
221 - 'PowerView'
222 - 'Remove-ADIDNSNode'
223 - 'Remove-Update'
224 - 'Rename-ADIDNSNode'
225 - 'Revoke-ADIDNSPermission'
226 - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
227 - 'Show-TargetScreen'
228 - 'Start-CaptureServer'
229 - 'Start-Dnscat2'
230 - 'Start-WebcamRecorder'
231 - 'VolumeShadowCopyTools'
232 # - 'Check-VM'
233 # - 'Disable-MachineAccount'
234 # - 'Enable-MachineAccount'
235 # - 'Get-ApplicationHost'
236 # - 'Get-MachineAccountAttribute'
237 # - 'Get-MachineAccountCreator'
238 # - 'Get-Screenshot'
239 # - 'HTTP-Login'
240 # - 'Install-ServiceBinary'
241 # - 'Install-SSP'
242 # - 'New-DNSRecordArray'
243 # - 'New-MachineAccount'
244 # - 'Port-Scan'
245 # - 'Remove-MachineAccount'
246 # - 'Set-MacAttribute'
247 # - 'Set-MachineAccountAttribute'
248 # - 'Set-Wallpaper'
249 filter_optional_amazon_ec2:
250 ScriptBlockText|contains:
251 - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
252 - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\ # false positive form Amazon EC2
253 condition: selection and not 1 of filter_optional_*
254falsepositives:
255 - Unknown
256level: high
References
Related rules
- Malicious PowerShell Commandlets - PoshModule
- BloodHound Collection Files
- HackTool - Bloodhound/Sharphound Execution
- PUA - AdFind Suspicious Execution
- Suspicious Use of PsLogList