Malicious PowerShell Commandlets - ScriptBlock

Detects Commandlet names from well-known PowerShell exploitation frameworks

Sigma rule (View on GitHub)

  1title: Malicious PowerShell Commandlets - ScriptBlock
  2id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
  3related:
  4    - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
  5      type: similar
  6    - id: 02030f2f-6199-49ec-b258-ea71b07e03dc
  7      type: similar
  8    - id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
  9      type: obsolete
 10    - id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
 11      type: obsolete
 12status: test
 13description: Detects Commandlet names from well-known PowerShell exploitation frameworks
 14references:
 15    - https://adsecurity.org/?p=2921
 16    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
 17    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
 18    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
 19    - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
 20    - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
 21    - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
 22    - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
 23    - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
 24    - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
 25    - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
 26    - https://github.com/HarmJ0y/DAMP
 27    - https://github.com/samratashok/nishang
 28    - https://github.com/DarkCoderSc/PowerRunAsSystem/
 29    - https://github.com/besimorhino/powercat
 30    - https://github.com/Kevin-Robertson/Powermad
 31    - https://github.com/adrecon/ADRecon
 32    - https://github.com/adrecon/AzureADRecon
 33    - https://github.com/The-Viper-One/Invoke-PowerDPAPI/
 34author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
 35date: 2017-03-05
 36modified: 2025-07-06
 37tags:
 38    - attack.execution
 39    - attack.discovery
 40    - attack.t1482
 41    - attack.t1087
 42    - attack.t1087.001
 43    - attack.t1087.002
 44    - attack.t1069.001
 45    - attack.t1069.002
 46    - attack.t1069
 47    - attack.t1059.001
 48logsource:
 49    product: windows
 50    category: ps_script
 51    definition: 'Requirements: Script Block Logging must be enabled'
 52detection:
 53    selection:
 54        ScriptBlockText|contains:
 55            # Note: Please ensure alphabetical order when adding new entries
 56            - 'Add-Exfiltration'
 57            - 'Add-Persistence'
 58            - 'Add-RegBackdoor'
 59            - 'Add-RemoteRegBackdoor'
 60            - 'Add-ScrnSaveBackdoor'
 61            - 'ConvertTo-Rc4ByteStream'
 62            - 'Decrypt-Hash'
 63            - 'Disable-ADIDNSNode'
 64            - 'Do-Exfiltration'
 65            - 'Enable-ADIDNSNode'
 66            - 'Enabled-DuplicateToken'
 67            - 'Exploit-Jboss'
 68            - 'Export-ADRCSV'
 69            - 'Export-ADRExcel'
 70            - 'Export-ADRHTML'
 71            - 'Export-ADRJSON'
 72            - 'Export-ADRXML'
 73            - 'Find-Fruit'
 74            - 'Find-GPOLocation'
 75            - 'Find-TrustedDocuments'
 76            - 'Get-ADIDNSNodeAttribute'
 77            - 'Get-ADIDNSNodeOwner'
 78            - 'Get-ADIDNSNodeTombstoned'
 79            - 'Get-ADIDNSPermission'
 80            - 'Get-ADIDNSZone'
 81            - 'Get-ChromeDump'
 82            - 'Get-ClipboardContents'
 83            - 'Get-FoxDump'
 84            - 'Get-GPPPassword'
 85            - 'Get-IndexedItem'
 86            - 'Get-KerberosAESKey'
 87            - 'Get-Keystrokes'
 88            - 'Get-LSASecret'
 89            - 'Get-PassHashes'
 90            - 'Get-RegAlwaysInstallElevated'
 91            - 'Get-RegAutoLogon'
 92            - 'Get-RemoteBootKey'
 93            - 'Get-RemoteCachedCredential'
 94            - 'Get-RemoteLocalAccountHash'
 95            - 'Get-RemoteLSAKey'
 96            - 'Get-RemoteMachineAccountHash'
 97            - 'Get-RemoteNLKMKey'
 98            - 'Get-RickAstley'
 99            - 'Get-SecurityPackages'
100            - 'Get-ServiceFilePermission'
101            - 'Get-ServicePermission'
102            - 'Get-ServiceUnquoted'
103            - 'Get-SiteListPassword'
104            - 'Get-System'
105            - 'Get-TimedScreenshot'
106            - 'Get-UnattendedInstallFile'
107            - 'Get-Unconstrained'
108            - 'Get-USBKeystrokes'
109            - 'Get-VaultCredential'
110            - 'Get-VulnAutoRun'
111            - 'Get-VulnSchTask'
112            - 'Grant-ADIDNSPermission'
113            - 'Gupt-Backdoor'
114            - 'Invoke-ACLScanner'
115            - 'Invoke-ADRecon'
116            - 'Invoke-ADSBackdoor'
117            - 'Invoke-AgentSmith'
118            - 'Invoke-AllChecks'
119            - 'Invoke-ARPScan'
120            - 'Invoke-AzureHound'
121            - 'Invoke-BackdoorLNK'
122            - 'Invoke-BadPotato'
123            - 'Invoke-BetterSafetyKatz'
124            - 'Invoke-BypassUAC'
125            - 'Invoke-Carbuncle'
126            - 'Invoke-Certify'
127            - 'Invoke-ConPtyShell'
128            - 'Invoke-CredentialInjection'
129            - 'Invoke-DAFT'
130            - 'Invoke-DCSync'
131            - 'Invoke-DinvokeKatz'
132            - 'Invoke-DllInjection'
133            - 'Invoke-DNSUpdate'
134            - 'Invoke-DomainPasswordSpray'
135            - 'Invoke-DowngradeAccount'
136            - 'Invoke-EgressCheck'
137            - 'Invoke-Eyewitness'
138            - 'Invoke-FakeLogonScreen'
139            - 'Invoke-Farmer'
140            - 'Invoke-Get-RBCD-Threaded'
141            - 'Invoke-Gopher'
142            - 'Invoke-Grouper' # Also Covers Invoke-GrouperX
143            - 'Invoke-HandleKatz'
144            - 'Invoke-ImpersonatedProcess'
145            - 'Invoke-ImpersonateSystem'
146            - 'Invoke-InteractiveSystemPowerShell'
147            - 'Invoke-Internalmonologue'
148            - 'Invoke-Inveigh'
149            - 'Invoke-InveighRelay'
150            - 'Invoke-KrbRelay'
151            - 'Invoke-LdapSignCheck'
152            - 'Invoke-Lockless'
153            - 'Invoke-MalSCCM'
154            - 'Invoke-Mimikatz'
155            - 'Invoke-Mimikittenz'
156            - 'Invoke-MITM6'
157            - 'Invoke-NanoDump'
158            - 'Invoke-NetRipper'
159            - 'Invoke-Nightmare'
160            - 'Invoke-NinjaCopy'
161            - 'Invoke-OfficeScrape'
162            - 'Invoke-OxidResolver'
163            - 'Invoke-P0wnedshell'
164            - 'Invoke-Paranoia'
165            - 'Invoke-PortScan'
166            - 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
167            - 'Invoke-PostExfil'
168            - 'Invoke-PowerDump'
169            - 'Invoke-PowerDPAPI'
170            - 'Invoke-PowerShellTCP'
171            - 'Invoke-PowerShellWMI'
172            - 'Invoke-PPLDump'
173            - 'Invoke-PsExec'
174            - 'Invoke-PSInject'
175            - 'Invoke-PsUaCme'
176            - 'Invoke-ReflectivePEInjection'
177            - 'Invoke-ReverseDNSLookup'
178            - 'Invoke-Rubeus'
179            - 'Invoke-RunAs'
180            - 'Invoke-SafetyKatz'
181            - 'Invoke-SauronEye'
182            - 'Invoke-SCShell'
183            - 'Invoke-Seatbelt'
184            - 'Invoke-ServiceAbuse'
185            - 'Invoke-ShadowSpray'
186            - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
187            - 'Invoke-Shellcode'
188            - 'Invoke-SMBScanner'
189            - 'Invoke-Snaffler'
190            - 'Invoke-Spoolsample'
191            - 'Invoke-SpraySinglePassword'
192            - 'Invoke-SSHCommand'
193            - 'Invoke-StandIn'
194            - 'Invoke-StickyNotesExtract'
195            - 'Invoke-SystemCommand'
196            - 'Invoke-Tasksbackdoor'
197            - 'Invoke-Tater'
198            - 'Invoke-Thunderfox'
199            - 'Invoke-ThunderStruck'
200            - 'Invoke-TokenManipulation'
201            - 'Invoke-Tokenvator'
202            - 'Invoke-TotalExec'
203            - 'Invoke-UrbanBishop'
204            - 'Invoke-UserHunter'
205            - 'Invoke-VoiceTroll'
206            - 'Invoke-Whisker'
207            - 'Invoke-WinEnum'
208            - 'Invoke-winPEAS'
209            - 'Invoke-WireTap'
210            - 'Invoke-WmiCommand'
211            - 'Invoke-WMIExec'
212            - 'Invoke-WScriptBypassUAC'
213            - 'Invoke-Zerologon'
214            - 'MailRaider'
215            - 'New-ADIDNSNode'
216            - 'New-HoneyHash'
217            - 'New-InMemoryModule'
218            - 'New-SOASerialNumberArray'
219            - 'Out-Minidump'
220            - 'PowerBreach'
221            - 'powercat '
222            - 'PowerUp'
223            - 'PowerView'
224            - 'Remove-ADIDNSNode'
225            - 'Remove-Update'
226            - 'Rename-ADIDNSNode'
227            - 'Revoke-ADIDNSPermission'
228            - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
229            - 'Show-TargetScreen'
230            - 'Start-CaptureServer'
231            - 'Start-Dnscat2'
232            - 'Start-WebcamRecorder'
233            - 'VolumeShadowCopyTools'
234            # - 'Check-VM'
235            # - 'Disable-MachineAccount'
236            # - 'Enable-MachineAccount'
237            # - 'Get-ApplicationHost'
238            # - 'Get-MachineAccountAttribute'
239            # - 'Get-MachineAccountCreator'
240            # - 'Get-Screenshot'
241            # - 'HTTP-Login'
242            # - 'Install-ServiceBinary'
243            # - 'Install-SSP'
244            # - 'New-DNSRecordArray'
245            # - 'New-MachineAccount'
246            # - 'Port-Scan'
247            # - 'Remove-MachineAccount'
248            # - 'Set-MacAttribute'
249            # - 'Set-MachineAccountAttribute'
250            # - 'Set-Wallpaper'
251    filter_optional_amazon_ec2:
252        ScriptBlockText|contains:
253            - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
254            - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\  # false positive form Amazon EC2
255    condition: selection and not 1 of filter_optional_*
256falsepositives:
257    - Unknown
258level: high

References

Related rules

to-top