rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml

title: Malicious PowerShell Commandlets
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
status: experimental
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
    - https://adsecurity.org/?p=2921
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1086  #an old one
author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update)
date: 2017/03/05
modified: 2021/11/29
logsource:
    product: windows
    category: ps_script
    definition: Script Block Logging must be enable
detection:
    select_Malicious:
        ScriptBlockText|contains:
            - 'Invoke-DllInjection'
            - 'Invoke-Shellcode'
            - 'Invoke-WmiCommand'
            - 'Get-GPPPassword'
            - 'Get-Keystrokes'
            - 'Get-TimedScreenshot'
            - 'Get-VaultCredential'
            - 'Invoke-CredentialInjection'
            - 'Invoke-Mimikatz'
            - 'Invoke-NinjaCopy'
            - 'Invoke-TokenManipulation'
            - 'Out-Minidump'
            - 'VolumeShadowCopyTools'
            - 'Invoke-ReflectivePEInjection'
            - 'Invoke-UserHunter'
            - 'Find-GPOLocation'
            - 'Invoke-ACLScanner'
            - 'Invoke-DowngradeAccount'
            - 'Get-ServiceUnquoted'
            - 'Get-ServiceFilePermission'
            - 'Get-ServicePermission'
            - 'Invoke-ServiceAbuse'
            - 'Install-ServiceBinary'
            - 'Get-RegAutoLogon'
            - 'Get-VulnAutoRun'
            - 'Get-VulnSchTask'
            - 'Get-UnattendedInstallFile'
            - 'Get-ApplicationHost'
            - 'Get-RegAlwaysInstallElevated'
            - 'Get-Unconstrained'
            - 'Add-RegBackdoor'
            - 'Add-ScrnSaveBackdoor'
            - 'Gupt-Backdoor'
            - 'Invoke-ADSBackdoor'
            - 'Enabled-DuplicateToken'
            - 'Invoke-PsUaCme'
            - 'Remove-Update'
            - 'Check-VM'
            - 'Get-LSASecret'
            - 'Get-PassHashes'
            - 'Show-TargetScreen'
            - 'Port-Scan'
            - 'Invoke-PoshRatHttp'
            - 'Invoke-PowerShellTCP'
            - 'Invoke-PowerShellWMI'
            - 'Add-Exfiltration'
            - 'Add-Persistence'
            - 'Do-Exfiltration'
            - 'Start-CaptureServer'
            - 'Get-ChromeDump'
            - 'Get-ClipboardContents'
            - 'Get-FoxDump'
            - 'Get-IndexedItem'
            - 'Get-Screenshot'
            - 'Invoke-Inveigh'
            - 'Invoke-NetRipper'
            - 'Invoke-EgressCheck'
            - 'Invoke-PostExfil'
            - 'Invoke-PSInject'
            - 'Invoke-RunAs'
            - 'MailRaider'
            - 'New-HoneyHash'
            - 'Set-MacAttribute'
            - 'Invoke-DCSync'
            - 'Invoke-PowerDump'
            - 'Exploit-Jboss'
            - 'Invoke-ThunderStruck'
            - 'Invoke-VoiceTroll'
            - 'Set-Wallpaper'
            - 'Invoke-InveighRelay'
            - 'Invoke-PsExec'
            - 'Invoke-SSHCommand'
            - 'Get-SecurityPackages'
            - 'Install-SSP'
            - 'Invoke-BackdoorLNK'
            - 'PowerBreach'
            - 'Get-SiteListPassword'
            - 'Get-System'
            - 'Invoke-BypassUAC'
            - 'Invoke-Tater'
            - 'Invoke-WScriptBypassUAC'
            - 'PowerUp'
            - 'PowerView'
            - 'Get-RickAstley'
            - 'Find-Fruit'
            - 'HTTP-Login'
            - 'Find-TrustedDocuments'
            - 'Invoke-Paranoia'
            - 'Invoke-WinEnum'
            - 'Invoke-ARPScan'
            - 'Invoke-PortScan'
            - 'Invoke-ReverseDNSLookup'
            - 'Invoke-SMBScanner'
            - 'Invoke-Mimikittenz'
            - 'Invoke-AllChecks'
    false_positives:
        ScriptBlockText|contains:
            - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
            - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1  # false positive form Amazon EC2
    condition: select_Malicious and not false_positives
falsepositives:
    - Penetration testing
level: high
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`title: Malicious PowerShell Commandlets`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`status: experimental`
			`description: Detects Commandlet names from well-known PowerShell exploitation frameworks`
Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00			`references:`
			`- https://adsecurity.org/?p=2921`
Tagged windows powershell, other and malware rules. 2018-07-24 10:56:41 +02:00			`tags:`
			`- attack.execution`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`- attack.t1059.001`
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00			`- attack.t1086 #an old one`
append authors of the update 2020-10-11 23:42:33 +02:00			`author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update)`
fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00			`date: 2017/03/05`
adding amazon ec2 to list of false positives 2021-11-29 19:20:00 +00:00			`modified: 2021/11/29`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`logsource:`
Bugfix: PowerShell rules log source inconstency 2017-03-21 10:22:13 +01:00			`product: windows`
$frack113$ change to category: ps_script 2021-10-16 08:18:49 +02:00			`category: ps_script`
$frack113$ Cleanup PS rules 2021-08-21 09:58:58 +02:00			`definition: Script Block Logging must be enable`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`detection:`
$frack113$ Cleanup PS rules 2021-08-21 09:58:58 +02:00			`select_Malicious:`
modify powershell_malicious_commandlets.yml to leverage ScriptBlock logging feature 2020-10-11 19:11:54 +02:00			`ScriptBlockText\|contains:`
$frack113$ Change double quote to quote 2022-01-06 14:02:35 +01:00			`- 'Invoke-DllInjection'`
			`- 'Invoke-Shellcode'`
			`- 'Invoke-WmiCommand'`
			`- 'Get-GPPPassword'`
			`- 'Get-Keystrokes'`
			`- 'Get-TimedScreenshot'`
			`- 'Get-VaultCredential'`
			`- 'Invoke-CredentialInjection'`
			`- 'Invoke-Mimikatz'`
			`- 'Invoke-NinjaCopy'`
			`- 'Invoke-TokenManipulation'`
			`- 'Out-Minidump'`
			`- 'VolumeShadowCopyTools'`
			`- 'Invoke-ReflectivePEInjection'`
			`- 'Invoke-UserHunter'`
			`- 'Find-GPOLocation'`
			`- 'Invoke-ACLScanner'`
			`- 'Invoke-DowngradeAccount'`
			`- 'Get-ServiceUnquoted'`
			`- 'Get-ServiceFilePermission'`
			`- 'Get-ServicePermission'`
			`- 'Invoke-ServiceAbuse'`
			`- 'Install-ServiceBinary'`
			`- 'Get-RegAutoLogon'`
			`- 'Get-VulnAutoRun'`
			`- 'Get-VulnSchTask'`
			`- 'Get-UnattendedInstallFile'`
			`- 'Get-ApplicationHost'`
			`- 'Get-RegAlwaysInstallElevated'`
			`- 'Get-Unconstrained'`
			`- 'Add-RegBackdoor'`
			`- 'Add-ScrnSaveBackdoor'`
			`- 'Gupt-Backdoor'`
			`- 'Invoke-ADSBackdoor'`
			`- 'Enabled-DuplicateToken'`
			`- 'Invoke-PsUaCme'`
			`- 'Remove-Update'`
			`- 'Check-VM'`
			`- 'Get-LSASecret'`
			`- 'Get-PassHashes'`
			`- 'Show-TargetScreen'`
			`- 'Port-Scan'`
			`- 'Invoke-PoshRatHttp'`
			`- 'Invoke-PowerShellTCP'`
			`- 'Invoke-PowerShellWMI'`
			`- 'Add-Exfiltration'`
			`- 'Add-Persistence'`
			`- 'Do-Exfiltration'`
			`- 'Start-CaptureServer'`
			`- 'Get-ChromeDump'`
			`- 'Get-ClipboardContents'`
			`- 'Get-FoxDump'`
			`- 'Get-IndexedItem'`
			`- 'Get-Screenshot'`
			`- 'Invoke-Inveigh'`
			`- 'Invoke-NetRipper'`
			`- 'Invoke-EgressCheck'`
			`- 'Invoke-PostExfil'`
			`- 'Invoke-PSInject'`
			`- 'Invoke-RunAs'`
			`- 'MailRaider'`
			`- 'New-HoneyHash'`
			`- 'Set-MacAttribute'`
			`- 'Invoke-DCSync'`
			`- 'Invoke-PowerDump'`
			`- 'Exploit-Jboss'`
			`- 'Invoke-ThunderStruck'`
			`- 'Invoke-VoiceTroll'`
			`- 'Set-Wallpaper'`
			`- 'Invoke-InveighRelay'`
			`- 'Invoke-PsExec'`
			`- 'Invoke-SSHCommand'`
			`- 'Get-SecurityPackages'`
			`- 'Install-SSP'`
			`- 'Invoke-BackdoorLNK'`
			`- 'PowerBreach'`
			`- 'Get-SiteListPassword'`
			`- 'Get-System'`
			`- 'Invoke-BypassUAC'`
			`- 'Invoke-Tater'`
			`- 'Invoke-WScriptBypassUAC'`
			`- 'PowerUp'`
			`- 'PowerView'`
			`- 'Get-RickAstley'`
			`- 'Find-Fruit'`
			`- 'HTTP-Login'`
			`- 'Find-TrustedDocuments'`
			`- 'Invoke-Paranoia'`
			`- 'Invoke-WinEnum'`
			`- 'Invoke-ARPScan'`
			`- 'Invoke-PortScan'`
			`- 'Invoke-ReverseDNSLookup'`
			`- 'Invoke-SMBScanner'`
			`- 'Invoke-Mimikittenz'`
			`- 'Invoke-AllChecks'`
powershell false positives 2019-09-06 03:54:19 -04:00			`false_positives:`
adding missing : 2021-12-01 23:14:57 +00:00			`ScriptBlockText\|contains:`
fixing yaml formatting 2021-12-01 21:27:31 +00:00			`- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1`
			`- C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1 # false positive form Amazon EC2`
$frack113$ Cleanup PS rules 2021-08-21 09:58:58 +02:00			`condition: select_Malicious and not false_positives`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`falsepositives:`
			`- Penetration testing`
			`level: high`