rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml

title: Suspicious PowerShell Keywords
id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
status: experimental
description: Detects keywords that could indicate the use of some PowerShell exploitation framework
date: 2019/02/11
modified: 2021/10/16
author: Florian Roth, Perez Diego (@darkquassar)
references:
    - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
    - https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
    - https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1
    - https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1086  #an old one
logsource:
    product: windows
    category: ps_script
    definition: Script block logging must be enabled for 4104
detection:
    framework:
        ScriptBlockText|contains:
            - "System.Reflection.Assembly.Load($"
            - "[System.Reflection.Assembly]::Load($"
            - "[Reflection.Assembly]::Load($"
            - "System.Reflection.AssemblyName"
            - "Reflection.Emit.AssemblyBuilderAccess"
            - "Runtime.InteropServices.DllImportAttribute"
            - "SuspendThread"
            - "rundll32"
            # - "FromBase64"
            - "Invoke-WMIMethod"
            - "http://127.0.0.1"
    condition: framework
falsepositives:
    - Penetration tests
level: high
Rule: Suspicious PowerShell keywords 2019-02-11 13:02:33 +01:00			`title: Suspicious PowerShell Keywords`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf`
Rule: Suspicious PowerShell keywords 2019-02-11 13:02:33 +01:00			`status: experimental`
			`description: Detects keywords that could indicate the use of some PowerShell exploitation framework`
			`date: 2019/02/11`
$frack113$ change to category: ps_script 2021-10-16 08:18:49 +02:00			`modified: 2021/10/16`
adding some more suspicious PS keywords 2019-10-28 22:14:14 -07:00			`author: Florian Roth, Perez Diego (@darkquassar)`
Rule: Suspicious PowerShell keywords 2019-02-11 13:02:33 +01:00			`references:`
			`- https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462`
adding some more suspicious PS keywords 2019-10-28 22:14:14 -07:00			`- https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1`
			`- https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1`
more PowerShell suspicious keywords 2021-06-10 09:41:55 +02:00			`- https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7`
Rule: Suspicious PowerShell keywords 2019-02-11 13:02:33 +01:00			`tags:`
			`- attack.execution`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`- attack.t1059.001`
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00			`- attack.t1086 #an old one`
Rule: Suspicious PowerShell keywords 2019-02-11 13:02:33 +01:00			`logsource:`
			`product: windows`
$frack113$ change to category: ps_script 2021-10-16 08:18:49 +02:00			`category: ps_script`
$frack113$ Fix some errors 2021-08-30 19:49:44 +02:00			`definition: Script block logging must be enabled for 4104`
Rule: Suspicious PowerShell keywords 2019-02-11 13:02:33 +01:00			`detection:`
$frack113$ Fix some errors 2021-08-30 19:49:44 +02:00			`framework:`
			`ScriptBlockText\|contains:`
			`- "System.Reflection.Assembly.Load($"`
			`- "[System.Reflection.Assembly]::Load($"`
			`- "[Reflection.Assembly]::Load($"`
			`- "System.Reflection.AssemblyName"`
			`- "Reflection.Emit.AssemblyBuilderAccess"`
			`- "Runtime.InteropServices.DllImportAttribute"`
			`- "SuspendThread"`
			`- "rundll32"`
			`# - "FromBase64"`
			`- "Invoke-WMIMethod"`
			`- "http://127.0.0.1"`
			`condition: framework`
Rule: Suspicious PowerShell keywords 2019-02-11 13:02:33 +01:00			`falsepositives:`
			`- Penetration tests`
			`level: high`