Malicious Nishang PowerShell Commandlets
Detects Commandlet names and arguments from the Nishang exploitation framework
Sigma rule (View on GitHub)
1title: Malicious Nishang PowerShell Commandlets
2id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
3status: test
4description: Detects Commandlet names and arguments from the Nishang exploitation framework
5references:
6 - https://github.com/samratashok/nishang
7author: Alec Costello
8date: 2019/05/16
9modified: 2023/01/16
10tags:
11 - attack.execution
12 - attack.t1059.001
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection:
19 ScriptBlockText|contains:
20 - 'Add-ConstrainedDelegationBackdoor'
21 # - 'Add-Persistence' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
22 # - 'Add-RegBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
23 # - 'Add-ScrnSaveBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
24 - 'Copy-VSS'
25 - 'Create-MultipleSessions'
26 - 'DataToEncode'
27 - 'DNS_TXT_Pwnage'
28 - 'Do-Exfiltration-Dns'
29 - 'Download_Execute'
30 - 'Download-Execute-PS'
31 - 'DownloadAndExtractFromRemoteRegistry'
32 - 'DumpCerts'
33 - 'DumpCreds'
34 - 'DumpHashes'
35 - 'Enable-DuplicateToken'
36 - 'Enable-Duplication'
37 - 'Execute-Command-MSSQL'
38 - 'Execute-DNSTXT-Code'
39 - 'Execute-OnTime'
40 - 'ExetoText'
41 - 'exfill'
42 - 'ExfilOption'
43 - 'FakeDC'
44 - 'FireBuster'
45 - 'FireListener'
46 - 'Get-Information ' # Space at the end is required. Otherwise, we get FP with Get-InformationBarrierReportDetails or Get-InformationBarrierReportSummary
47 # - 'Get-PassHashes' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
48 - 'Get-PassHints'
49 - 'Get-Web-Credentials'
50 - 'Get-WebCredentials'
51 - 'Get-WLAN-Keys'
52 # - 'Gupt-Backdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
53 - 'HTTP-Backdoor'
54 # - 'Invoke-ADSBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
55 - 'Invoke-AmsiBypass'
56 - 'Invoke-BruteForce'
57 - 'Invoke-CredentialsPhish'
58 - 'Invoke-Decode'
59 - 'Invoke-Encode'
60 - 'Invoke-Interceptor'
61 - 'Invoke-JSRatRegsvr'
62 - 'Invoke-JSRatRundll'
63 - 'Invoke-MimikatzWDigestDowngrade'
64 - 'Invoke-NetworkRelay'
65 # - 'Invoke-PortScan' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
66 # - 'Invoke-PoshRatHttp' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
67 - 'Invoke-PowerShellIcmp'
68 - 'Invoke-PowerShellUdp'
69 - 'Invoke-Prasadhak'
70 - 'Invoke-PSGcat'
71 - 'Invoke-PsGcatAgent'
72 # - 'Invoke-PsUACme' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
73 - 'Invoke-SessionGopher'
74 - 'Invoke-SSIDExfil'
75 # - Jitter # Prone to FPs
76 # - 'Keylogger' # Too generic to be linked to Nishang
77 - 'LoggedKeys'
78 - 'Nishang'
79 - 'NotAllNameSpaces' # This is param to "Set-RemoteWMI"
80 - 'Out-CHM'
81 - 'OUT-DNSTXT'
82 - 'Out-HTA'
83 - 'Out-RundllCommand'
84 - 'Out-SCF'
85 - 'Out-SCT'
86 - 'Out-Shortcut'
87 - 'Out-WebQuery'
88 - 'Out-Word'
89 - 'Parse_Keys'
90 - 'Password-List'
91 - 'Powerpreter'
92 - 'Remove-Persistence'
93 - 'Remove-PoshRat'
94 - 'Remove-Update'
95 - 'Run-EXEonRemote'
96 - 'Set-DCShadowPermissions'
97 - 'Set-RemotePSRemoting'
98 - 'Set-RemoteWMI'
99 - 'Shellcode32'
100 - 'Shellcode64'
101 - 'StringtoBase64'
102 - 'TexttoExe'
103 condition: selection
104falsepositives:
105 - Unknown
106level: high
References
-
Nishang - Offensive PowerShell for red team, penetration testing and offensive security. - GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offens...
Read More
Related rules
- Import PowerShell Modules From Suspicious Directories
- Import PowerShell Modules From Suspicious Directories - ProcCreation
- Potential Persistence Via Powershell Search Order Hijacking - Task
- Potential PowerShell Obfuscation Using Alias Cmdlets
- Potential PowerShell Obfuscation Using Character Join