title: Suspicious PowerShell Keywords
id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
status: experimental
description: Detects keywords that could indicate the use of some PowerShell exploitation framework
date: 2019/02/11
modified: 2021/08/30
author: Florian Roth, Perez Diego (@darkquassar)
references:
    - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
    - https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
    - https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1
    - https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1086  #an old one
logsource:
    product: windows
    service: powershell
    definition: Script block logging must be enabled for 4104
detection:
    framework:
        EventID: 4104
        ScriptBlockText|contains:
            - "System.Reflection.Assembly.Load($"
            - "[System.Reflection.Assembly]::Load($"
            - "[Reflection.Assembly]::Load($"
            - "System.Reflection.AssemblyName"
            - "Reflection.Emit.AssemblyBuilderAccess"
            - "Runtime.InteropServices.DllImportAttribute"
            - "SuspendThread"
            - "rundll32"
            # - "FromBase64"
            - "Invoke-WMIMethod"
            - "http://127.0.0.1"
    condition: framework
falsepositives:
    - Penetration tests
level: high