Potential Suspicious PowerShell Keywords
Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
Sigma rule (View on GitHub)
1title: Potential Suspicious PowerShell Keywords
2id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
3status: test
4description: Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
5references:
6 - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
7 - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1
8 - https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1
9 - https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
10author: Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)
11date: 2019-02-11
12modified: 2023-04-21
13tags:
14 - attack.execution
15 - attack.t1059.001
16logsource:
17 product: windows
18 category: ps_script
19 definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21 selection:
22 ScriptBlockText|contains:
23 - 'System.Reflection.Assembly.Load($'
24 - '[System.Reflection.Assembly]::Load($'
25 - '[Reflection.Assembly]::Load($'
26 - 'System.Reflection.AssemblyName'
27 - 'Reflection.Emit.AssemblyBuilderAccess'
28 - 'Reflection.Emit.CustomAttributeBuilder'
29 - 'Runtime.InteropServices.UnmanagedType'
30 - 'Runtime.InteropServices.DllImportAttribute'
31 - 'SuspendThread'
32 - 'rundll32'
33 # - 'FromBase64'
34 # - 'Invoke-WMIMethod' # Prone to FP
35 # - 'http://127.0.0.1' # Prone to FP
36 condition: selection
37falsepositives:
38 - Unknown
39level: medium
References
Related rules
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- Alternate PowerShell Hosts Pipe
- Bad Opsec Powershell Code Artifacts
- BloodHound Collection Files