rules/windows/powershell/powershell_malicious_keywords.yml

title: Malicious PowerShell Keywords
status: experimental
description: Detects keywords from well-known PowerShell exploitation frameworks
modified: 2019/01/22
references:
    - https://adsecurity.org/?p=2921
tags:
    - attack.execution
    - attack.t1086
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
    product: windows
    service: powershell
    definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
    keywords:
        - AdjustTokenPrivileges
        - IMAGE_NT_OPTIONAL_HDR64_MAGIC
        - Microsoft.Win32.UnsafeNativeMethods
        - ReadProcessMemory.Invoke
        - SE_PRIVILEGE_ENABLED
        - LSA_UNICODE_STRING
        - MiniDumpWriteDump
        - PAGE_EXECUTE_READ
        - SECURITY_DELEGATION
        - TOKEN_ADJUST_PRIVILEGES
        - TOKEN_ALL_ACCESS
        - TOKEN_ASSIGN_PRIMARY
        - TOKEN_DUPLICATE
        - TOKEN_ELEVATION
        - TOKEN_IMPERSONATE
        - TOKEN_INFORMATION_CLASS
        - TOKEN_PRIVILEGES
        - TOKEN_QUERY
        - Metasploit
        - Mimikatz
    condition: keywords
falsepositives:
    - Penetration tests
level: high
Fixed bugs 2018-06-27 09:20:20 +02:00			`title: Malicious PowerShell Keywords`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`status: experimental`
Fixed bugs 2018-06-27 09:20:20 +02:00			`description: Detects keywords from well-known PowerShell exploitation frameworks`
rule: false positive reduction in PowerShell rules 2019-01-22 16:37:36 +01:00			`modified: 2019/01/22`
Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00			`references:`
			`- https://adsecurity.org/?p=2921`
Tagged windows powershell, other and malware rules. 2018-07-24 10:56:41 +02:00			`tags:`
			`- attack.execution`
Lower case T 2018-09-26 11:44:12 +02:00			`- attack.t1086`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`author: Sean Metcalf (source), Florian Roth (rule)`
			`logsource:`
Bugfix: PowerShell rules log source inconstency 2017-03-21 10:22:13 +01:00			`product: windows`
			`service: powershell`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00			`definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`detection:`
			`keywords:`
			`- AdjustTokenPrivileges`
			`- IMAGE_NT_OPTIONAL_HDR64_MAGIC`
			`- Microsoft.Win32.UnsafeNativeMethods`
			`- ReadProcessMemory.Invoke`
			`- SE_PRIVILEGE_ENABLED`
			`- LSA_UNICODE_STRING`
			`- MiniDumpWriteDump`
			`- PAGE_EXECUTE_READ`
			`- SECURITY_DELEGATION`
			`- TOKEN_ADJUST_PRIVILEGES`
			`- TOKEN_ALL_ACCESS`
			`- TOKEN_ASSIGN_PRIMARY`
			`- TOKEN_DUPLICATE`
			`- TOKEN_ELEVATION`
			`- TOKEN_IMPERSONATE`
			`- TOKEN_INFORMATION_CLASS`
			`- TOKEN_PRIVILEGES`
			`- TOKEN_QUERY`
			`- Metasploit`
			`- Mimikatz`
			`condition: keywords`
			`falsepositives:`
			`- Penetration tests`
			`level: high`