Malicious PowerShell Commandlets - ScriptBlock
Detects Commandlet names from well-known PowerShell exploitation frameworks
Sigma rule (View on GitHub)
1title: Malicious PowerShell Commandlets - ScriptBlock
2id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
3related:
4 - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
5 type: similar
6 - id: 02030f2f-6199-49ec-b258-ea71b07e03dc
7 type: similar
8 - id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
9 type: obsolete
10 - id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
11 type: obsolete
12status: test
13description: Detects Commandlet names from well-known PowerShell exploitation frameworks
14references:
15 - https://adsecurity.org/?p=2921
16 - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
17 - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
18 - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
19 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
20 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
21 - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
22 - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
23 - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
24 - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
25 - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
26 - https://github.com/HarmJ0y/DAMP
27 - https://github.com/samratashok/nishang
28 - https://github.com/DarkCoderSc/PowerRunAsSystem/
29 - https://github.com/besimorhino/powercat
30 - https://github.com/Kevin-Robertson/Powermad
31 - https://github.com/adrecon/ADRecon
32 - https://github.com/adrecon/AzureADRecon
33 - https://github.com/The-Viper-One/Invoke-PowerDPAPI/
34 - https://github.com/Arno0x/DNSExfiltrator/
35author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
36date: 2017-03-05
37modified: 2025-12-10
38tags:
39 - attack.execution
40 - attack.discovery
41 - attack.t1482
42 - attack.t1087
43 - attack.t1087.001
44 - attack.t1087.002
45 - attack.t1069.001
46 - attack.t1069.002
47 - attack.t1069
48 - attack.t1059.001
49logsource:
50 product: windows
51 category: ps_script
52 definition: 'Requirements: Script Block Logging must be enabled'
53detection:
54 selection:
55 ScriptBlockText|contains:
56 # Note: Please ensure alphabetical order when adding new entries
57 - 'Add-Exfiltration'
58 - 'Add-Persistence'
59 - 'Add-RegBackdoor'
60 - 'Add-RemoteRegBackdoor'
61 - 'Add-ScrnSaveBackdoor'
62 - 'ConvertTo-Rc4ByteStream'
63 - 'Decrypt-Hash'
64 - 'Disable-ADIDNSNode'
65 - 'Do-Exfiltration'
66 - 'Enable-ADIDNSNode'
67 - 'Enabled-DuplicateToken'
68 - 'Exploit-Jboss'
69 - 'Export-ADRCSV'
70 - 'Export-ADRExcel'
71 - 'Export-ADRHTML'
72 - 'Export-ADRJSON'
73 - 'Export-ADRXML'
74 - 'Find-Fruit'
75 - 'Find-GPOLocation'
76 - 'Find-TrustedDocuments'
77 - 'Get-ADIDNSNodeAttribute'
78 - 'Get-ADIDNSNodeOwner'
79 - 'Get-ADIDNSNodeTombstoned'
80 - 'Get-ADIDNSPermission'
81 - 'Get-ADIDNSZone'
82 - 'Get-ChromeDump'
83 - 'Get-ClipboardContents'
84 - 'Get-FoxDump'
85 - 'Get-GPPPassword'
86 - 'Get-IndexedItem'
87 - 'Get-KerberosAESKey'
88 - 'Get-Keystrokes'
89 - 'Get-LSASecret'
90 - 'Get-PassHashes'
91 - 'Get-RegAlwaysInstallElevated'
92 - 'Get-RegAutoLogon'
93 - 'Get-RemoteBootKey'
94 - 'Get-RemoteCachedCredential'
95 - 'Get-RemoteLocalAccountHash'
96 - 'Get-RemoteLSAKey'
97 - 'Get-RemoteMachineAccountHash'
98 - 'Get-RemoteNLKMKey'
99 - 'Get-RickAstley'
100 - 'Get-SecurityPackages'
101 - 'Get-ServiceFilePermission'
102 - 'Get-ServicePermission'
103 - 'Get-ServiceUnquoted'
104 - 'Get-SiteListPassword'
105 - 'Get-System'
106 - 'Get-TimedScreenshot'
107 - 'Get-UnattendedInstallFile'
108 - 'Get-Unconstrained'
109 - 'Get-USBKeystrokes'
110 - 'Get-VaultCredential'
111 - 'Get-VulnAutoRun'
112 - 'Get-VulnSchTask'
113 - 'Grant-ADIDNSPermission'
114 - 'Gupt-Backdoor'
115 - 'Invoke-ACLScanner'
116 - 'Invoke-ADRecon'
117 - 'Invoke-ADSBackdoor'
118 - 'Invoke-AgentSmith'
119 - 'Invoke-AllChecks'
120 - 'Invoke-ARPScan'
121 - 'Invoke-AzureHound'
122 - 'Invoke-BackdoorLNK'
123 - 'Invoke-BadPotato'
124 - 'Invoke-BetterSafetyKatz'
125 - 'Invoke-BypassUAC'
126 - 'Invoke-Carbuncle'
127 - 'Invoke-Certify'
128 - 'Invoke-ConPtyShell'
129 - 'Invoke-CredentialInjection'
130 - 'Invoke-DAFT'
131 - 'Invoke-DCSync'
132 - 'Invoke-DinvokeKatz'
133 - 'Invoke-DllInjection'
134 - 'Invoke-DNSUpdate'
135 - 'Invoke-DNSExfiltrator'
136 - 'Invoke-DomainPasswordSpray'
137 - 'Invoke-DowngradeAccount'
138 - 'Invoke-EgressCheck'
139 - 'Invoke-Eyewitness'
140 - 'Invoke-FakeLogonScreen'
141 - 'Invoke-Farmer'
142 - 'Invoke-Get-RBCD-Threaded'
143 - 'Invoke-Gopher'
144 - 'Invoke-Grouper' # Also Covers Invoke-GrouperX
145 - 'Invoke-HandleKatz'
146 - 'Invoke-ImpersonatedProcess'
147 - 'Invoke-ImpersonateSystem'
148 - 'Invoke-InteractiveSystemPowerShell'
149 - 'Invoke-Internalmonologue'
150 - 'Invoke-Inveigh'
151 - 'Invoke-InveighRelay'
152 - 'Invoke-KrbRelay'
153 - 'Invoke-LdapSignCheck'
154 - 'Invoke-Lockless'
155 - 'Invoke-MalSCCM'
156 - 'Invoke-Mimikatz'
157 - 'Invoke-Mimikittenz'
158 - 'Invoke-MITM6'
159 - 'Invoke-NanoDump'
160 - 'Invoke-NetRipper'
161 - 'Invoke-Nightmare'
162 - 'Invoke-NinjaCopy'
163 - 'Invoke-OfficeScrape'
164 - 'Invoke-OxidResolver'
165 - 'Invoke-P0wnedshell'
166 - 'Invoke-Paranoia'
167 - 'Invoke-PortScan'
168 - 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
169 - 'Invoke-PostExfil'
170 - 'Invoke-PowerDump'
171 - 'Invoke-PowerDPAPI'
172 - 'Invoke-PowerShellTCP'
173 - 'Invoke-PowerShellWMI'
174 - 'Invoke-PPLDump'
175 - 'Invoke-PsExec'
176 - 'Invoke-PSInject'
177 - 'Invoke-PsUaCme'
178 - 'Invoke-ReflectivePEInjection'
179 - 'Invoke-ReverseDNSLookup'
180 - 'Invoke-Rubeus'
181 - 'Invoke-RunAs'
182 - 'Invoke-SafetyKatz'
183 - 'Invoke-SauronEye'
184 - 'Invoke-SCShell'
185 - 'Invoke-Seatbelt'
186 - 'Invoke-ServiceAbuse'
187 - 'Invoke-ShadowSpray'
188 - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
189 - 'Invoke-Shellcode'
190 - 'Invoke-SMBScanner'
191 - 'Invoke-Snaffler'
192 - 'Invoke-Spoolsample'
193 - 'Invoke-SpraySinglePassword'
194 - 'Invoke-SSHCommand'
195 - 'Invoke-StandIn'
196 - 'Invoke-StickyNotesExtract'
197 - 'Invoke-SystemCommand'
198 - 'Invoke-Tasksbackdoor'
199 - 'Invoke-Tater'
200 - 'Invoke-Thunderfox'
201 - 'Invoke-ThunderStruck'
202 - 'Invoke-TokenManipulation'
203 - 'Invoke-Tokenvator'
204 - 'Invoke-TotalExec'
205 - 'Invoke-UrbanBishop'
206 - 'Invoke-UserHunter'
207 - 'Invoke-VoiceTroll'
208 - 'Invoke-Whisker'
209 - 'Invoke-WinEnum'
210 - 'Invoke-winPEAS'
211 - 'Invoke-WireTap'
212 - 'Invoke-WmiCommand'
213 - 'Invoke-WMIExec'
214 - 'Invoke-WScriptBypassUAC'
215 - 'Invoke-Zerologon'
216 - 'MailRaider'
217 - 'New-ADIDNSNode'
218 - 'New-HoneyHash'
219 - 'New-InMemoryModule'
220 - 'New-SOASerialNumberArray'
221 - 'Out-Minidump'
222 - 'PowerBreach'
223 - 'powercat '
224 - 'PowerUp'
225 - 'PowerView'
226 - 'Remove-ADIDNSNode'
227 - 'Remove-Update'
228 - 'Rename-ADIDNSNode'
229 - 'Revoke-ADIDNSPermission'
230 - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
231 - 'Show-TargetScreen'
232 - 'Start-CaptureServer'
233 - 'Start-Dnscat2'
234 - 'Start-WebcamRecorder'
235 - 'VolumeShadowCopyTools'
236 # - 'Check-VM'
237 # - 'Disable-MachineAccount'
238 # - 'Enable-MachineAccount'
239 # - 'Get-ApplicationHost'
240 # - 'Get-MachineAccountAttribute'
241 # - 'Get-MachineAccountCreator'
242 # - 'Get-Screenshot'
243 # - 'HTTP-Login'
244 # - 'Install-ServiceBinary'
245 # - 'Install-SSP'
246 # - 'New-DNSRecordArray'
247 # - 'New-MachineAccount'
248 # - 'Port-Scan'
249 # - 'Remove-MachineAccount'
250 # - 'Set-MacAttribute'
251 # - 'Set-MachineAccountAttribute'
252 # - 'Set-Wallpaper'
253 filter_optional_amazon_ec2:
254 ScriptBlockText|contains:
255 - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
256 - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\ # false positive form Amazon EC2
257 condition: selection and not 1 of filter_optional_*
258falsepositives:
259 - Unknown
260level: high
References
-
This post is a follow-up of sorts from my earlier posts on PowerShell, my PowerShell presentation at BSides Baltimore, and my presentation at DEF CON 24. Hopefully this post provides current information on PowerShell usage for both Blue and Red teams. Related posts: BSides Charm Presentation Posted: PowerShell Security: Defending the Enterprise from the Latest ...
Read More -
-
Invoke-ZeroLogon allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf. - BC-SECURITY/Invoke-ZeroLogon
Read More -
-
Random Tools. Contribute to rvrsh3ll/Misc-Powershell-Scripts development by creating an account on GitHub.
Read More -
DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. BE VERY CAR...
Read More -
Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threaten to post sensitive information if an organization chooses not to pay ransom.
Read More -
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
Read More -
Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare) - calebstewart/CVE-2021-1675
Read More -
Six Degrees of Domain Admin. Contribute to SpecterOps/BloodHound-Legacy development by creating an account on GitHub.
Read More -
The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification - HarmJ0y/DAMP
Read More -
Nishang - Offensive PowerShell for red team, penetration testing and offensive security. - GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offens...
Read More -
PowerRunAsSystem is a PowerShell script, also available as an installable module through the PowerShell Gallery, designed to impersonate the NT AUTHORITY/SYSTEM user and execute commands or launch ...
Read More -
netshell features all in version 2 powershell. Contribute to besimorhino/powercat development by creating an account on GitHub.
Read More -
-
ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment. - GitHub - adr...
Read More -
AzureADRecon is a tool which gathers information about the Azure Active Directory and generates a report which can provide a holistic picture of the current state of the target environment. - adrec...
Read More -
Decrypt SCCM and DPAPI secrets with Powershell. . Contribute to The-Viper-One/Invoke-PowerDPAPI development by creating an account on GitHub.
Read More -
Data exfiltration over DNS request covert channel. Contribute to Arno0x/DNSExfiltrator development by creating an account on GitHub.
Read More
Related rules
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ProcessCreation
- BloodHound Collection Files
- HackTool - Bloodhound/Sharphound Execution
- PUA - AdFind Suspicious Execution