Malicious ShellIntel PowerShell Commandlets
Detects Commandlet names from ShellIntel exploitation scripts.
Sigma rule (View on GitHub)
1title: Malicious ShellIntel PowerShell Commandlets
2id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
3status: test
4description: Detects Commandlet names from ShellIntel exploitation scripts.
5references:
6 - https://github.com/Shellntel/scripts/
7author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
8date: 2021-08-09
9modified: 2023-01-02
10tags:
11 - attack.execution
12 - attack.t1059.001
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection:
19 ScriptBlockText|contains:
20 - 'Invoke-SMBAutoBrute'
21 - 'Invoke-GPOLinks'
22 # - 'Out-Minidump' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
23 - 'Invoke-Potato'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
Related rules
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- Alternate PowerShell Hosts Pipe
- Bad Opsec Powershell Code Artifacts
- BloodHound Collection Files