Potential Suspicious PowerShell Keywords

 1title: Potential Suspicious PowerShell Keywords
 2id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
 3status: test
 4description: Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
 5references:
 6    - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
 7    - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1
 8    - https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1
 9    - https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
10author: Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)
11date: 2019-02-11
12modified: 2023-04-21
13tags:
14    - attack.execution
15    - attack.t1059.001
16logsource:
17    product: windows
18    category: ps_script
19    definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21    selection:
22        ScriptBlockText|contains:
23            - 'System.Reflection.Assembly.Load($'
24            - '[System.Reflection.Assembly]::Load($'
25            - '[Reflection.Assembly]::Load($'
26            - 'System.Reflection.AssemblyName'
27            - 'Reflection.Emit.AssemblyBuilderAccess'
28            - 'Reflection.Emit.CustomAttributeBuilder'
29            - 'Runtime.InteropServices.UnmanagedType'
30            - 'Runtime.InteropServices.DllImportAttribute'
31            - 'SuspendThread'
32            - 'rundll32'
33            # - 'FromBase64'
34            # - 'Invoke-WMIMethod' # Prone to FP
35            # - 'http://127.0.0.1' # Prone to FP
36    condition: selection
37falsepositives:
38    - Unknown
39level: medium

References

• Entering a Covenant: .NET Command and Control

  

  I’ve slowly been open sourcing .NET tradecraft that I’ve been working on for some time, including the SharpSploit, SharpGen, and…

  
  Read More

• PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1 at d943001a7defb5e0d1657085a77a0e78609be58f · PowerShellMafia/PowerSploit

  

  PowerSploit - A PowerShell Post-Exploitation Framework - PowerShellMafia/PowerSploit

  
  Read More

• Phant0m/old/Invoke-Phant0m.ps1 at 30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2 · hlldz/Phant0m

  

  Windows Event Log Killer. Contribute to hlldz/Phant0m development by creating an account on GitHub.

  
  Read More

• matching.md

  

  GitHub Gist: instantly share code, notes, and snippets.

  
  Read More

Related rules

• AWS EC2 Startup Shell Script Change
• Alternate PowerShell Hosts - PowerShell Module
• Bad Opsec Powershell Code Artifacts
• BloodHound Collection Files
• Certificate Exported Via PowerShell