rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml

title: Malicious PowerShell Keywords
id: f62176f3-8128-4faa-bf6c-83261322e5eb
status: experimental
description: Detects keywords from well-known PowerShell exploitation frameworks
references:
    - https://adsecurity.org/?p=2921
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1086  #an old one
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
modified: 2021/10/16
logsource:
    product: windows
    category: ps_script
    definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
    Malicious:
        ScriptBlockText|contains:
            - 'AdjustTokenPrivileges'
            - 'IMAGE_NT_OPTIONAL_HDR64_MAGIC'
            - 'Microsoft.Win32.UnsafeNativeMethods'
            - 'ReadProcessMemory.Invoke'
            - 'SE_PRIVILEGE_ENABLED'
            - 'LSA_UNICODE_STRING'
            - 'MiniDumpWriteDump'
            - 'PAGE_EXECUTE_READ'
            - 'SECURITY_DELEGATION'
            - 'TOKEN_ADJUST_PRIVILEGES'
            - 'TOKEN_ALL_ACCESS'
            - 'TOKEN_ASSIGN_PRIMARY'
            - 'TOKEN_DUPLICATE'
            - 'TOKEN_ELEVATION'
            - 'TOKEN_IMPERSONATE'
            - 'TOKEN_INFORMATION_CLASS'
            - 'TOKEN_PRIVILEGES'
            - 'TOKEN_QUERY'
            - 'Metasploit'
            - 'Mimikatz'
    condition: Malicious
falsepositives:
    - Penetration tests
level: high
Fixed bugs 2018-06-27 09:20:20 +02:00			`title: Malicious PowerShell Keywords`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: f62176f3-8128-4faa-bf6c-83261322e5eb`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`status: experimental`
Fixed bugs 2018-06-27 09:20:20 +02:00			`description: Detects keywords from well-known PowerShell exploitation frameworks`
Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00			`references:`
			`- https://adsecurity.org/?p=2921`
Tagged windows powershell, other and malware rules. 2018-07-24 10:56:41 +02:00			`tags:`
			`- attack.execution`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`- attack.t1059.001`
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00			`- attack.t1086 #an old one`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`author: Sean Metcalf (source), Florian Roth (rule)`
fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00			`date: 2017/03/05`
$frack113$ change to category: ps_script 2021-10-16 08:18:49 +02:00			`modified: 2021/10/16`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`logsource:`
Bugfix: PowerShell rules log source inconstency 2017-03-21 10:22:13 +01:00			`product: windows`
$frack113$ change to category: ps_script 2021-10-16 08:18:49 +02:00			`category: ps_script`
fixed typos 2019-06-29 15:35:59 +03:00			`definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`detection:`
$frack113$ Update PowerShell rule 2021-08-21 09:08:38 +02:00			`Malicious:`
			`ScriptBlockText\|contains:`
$frack113$ Change double quote to quote 2022-01-06 14:02:35 +01:00			`- 'AdjustTokenPrivileges'`
			`- 'IMAGE_NT_OPTIONAL_HDR64_MAGIC'`
			`- 'Microsoft.Win32.UnsafeNativeMethods'`
			`- 'ReadProcessMemory.Invoke'`
			`- 'SE_PRIVILEGE_ENABLED'`
			`- 'LSA_UNICODE_STRING'`
			`- 'MiniDumpWriteDump'`
			`- 'PAGE_EXECUTE_READ'`
			`- 'SECURITY_DELEGATION'`
			`- 'TOKEN_ADJUST_PRIVILEGES'`
			`- 'TOKEN_ALL_ACCESS'`
			`- 'TOKEN_ASSIGN_PRIMARY'`
			`- 'TOKEN_DUPLICATE'`
			`- 'TOKEN_ELEVATION'`
			`- 'TOKEN_IMPERSONATE'`
			`- 'TOKEN_INFORMATION_CLASS'`
			`- 'TOKEN_PRIVILEGES'`
			`- 'TOKEN_QUERY'`
			`- 'Metasploit'`
			`- 'Mimikatz'`
$frack113$ Update PowerShell rule 2021-08-21 09:08:38 +02:00			`condition: Malicious`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`falsepositives:`
			`- Penetration tests`
			`level: high`