title: Malicious PowerShell Scripts - PoshModule id: 41025fd7-0466-4650-a813-574aaacbe7f4 related: - id: f331aa1f-8c53-4fc3-b083-cc159bc971cb type: similar - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 type: obsolete status: test description: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance references: - https://github.com/PowerShellMafia/PowerSploit - https://github.com/NetSPI/PowerUpSQL - https://github.com/CsEnox/EventViewer-UACBypass - https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu - https://github.com/nettitude/Invoke-PowerThIEf - https://github.com/S3cur3Th1sSh1t/WinPwn - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1 - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1 - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec - https://github.com/HarmJ0y/DAMP - https://github.com/samratashok/nishang - https://github.com/DarkCoderSc/PowerRunAsSystem/ - https://github.com/besimorhino/powercat - https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1 - https://github.com/The-Viper-One/Invoke-PowerDPAPI/ - https://github.com/Arno0x/DNSExfiltrator/ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023-01-23 modified: 2025-12-10 tags: - attack.execution - attack.t1059.001 logsource: product: windows category: ps_module definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b detection: selection_generic: ContextInfo|contains: - 'Add-ConstrainedDelegationBackdoor.ps1' - 'Add-Exfiltration.ps1' - 'Add-Persistence.ps1' - 'Add-RegBackdoor.ps1' - 'Add-RemoteRegBackdoor.ps1' - 'Add-ScrnSaveBackdoor.ps1' - 'BadSuccessor.ps1' - 'Check-VM.ps1' - 'ConvertTo-ROT13.ps1' - 'Copy-VSS.ps1' - 'Create-MultipleSessions.ps1' - 'DNS_TXT_Pwnage.ps1' - 'dnscat2.ps1' - 'Do-Exfiltration.ps1' - 'DomainPasswordSpray.ps1' - 'Download_Execute.ps1' - 'Download-Execute-PS.ps1' - 'Enabled-DuplicateToken.ps1' - 'Enable-DuplicateToken.ps1' - 'Execute-Command-MSSQL.ps1' - 'Execute-DNSTXT-Code.ps1' - 'Execute-OnTime.ps1' - 'ExetoText.ps1' - 'Exploit-Jboss.ps1' - 'Find-AVSignature.ps1' - 'Find-Fruit.ps1' - 'Find-GPOLocation.ps1' - 'Find-TrustedDocuments.ps1' - 'FireBuster.ps1' - 'FireListener.ps1' - 'Get-ApplicationHost.ps1' - 'Get-ChromeDump.ps1' - 'Get-ClipboardContents.ps1' - 'Get-ComputerDetail.ps1' - 'Get-FoxDump.ps1' - 'Get-GPPAutologon.ps1' - 'Get-GPPPassword.ps1' - 'Get-IndexedItem.ps1' - 'Get-Keystrokes.ps1' - 'Get-LSASecret.ps1' - 'Get-MicrophoneAudio.ps1' - 'Get-PassHashes.ps1' - 'Get-PassHints.ps1' - 'Get-RegAlwaysInstallElevated.ps1' - 'Get-RegAutoLogon.ps1' - 'Get-RickAstley.ps1' - 'Get-Screenshot.ps1' - 'Get-SecurityPackages.ps1' - 'Get-ServiceFilePermission.ps1' - 'Get-ServicePermission.ps1' - 'Get-ServiceUnquoted.ps1' - 'Get-SiteListPassword.ps1' - 'Get-System.ps1' - 'Get-TimedScreenshot.ps1' - 'Get-UnattendedInstallFile.ps1' - 'Get-Unconstrained.ps1' - 'Get-USBKeystrokes.ps1' - 'Get-VaultCredential.ps1' - 'Get-VulnAutoRun.ps1' - 'Get-VulnSchTask.ps1' - 'Get-WebConfig.ps1' - 'Get-WebCredentials.ps1' - 'Get-WLAN-Keys.ps1' - 'Gupt-Backdoor.ps1' - 'HTTP-Backdoor.ps1' - 'HTTP-Login.ps1' - 'Install-ServiceBinary.ps1' - 'Install-SSP.ps1' - 'Invoke-ACLScanner.ps1' - 'Invoke-ADSBackdoor.ps1' - 'Invoke-AmsiBypass.ps1' - 'Invoke-ARPScan.ps1' - 'Invoke-BackdoorLNK.ps1' - 'Invoke-BadPotato.ps1' - 'Invoke-BetterSafetyKatz.ps1' - 'Invoke-BruteForce.ps1' - 'Invoke-BypassUAC.ps1' - 'Invoke-Carbuncle.ps1' - 'Invoke-Certify.ps1' - 'Invoke-ConPtyShell.ps1' - 'Invoke-CredentialInjection.ps1' - 'Invoke-CredentialsPhish.ps1' - 'Invoke-DAFT.ps1' - 'Invoke-DCSync.ps1' - 'Invoke-Decode.ps1' - 'Invoke-DinvokeKatz.ps1' - 'Invoke-DllInjection.ps1' - 'Invoke-DNSExfiltrator.ps1' - 'Invoke-DowngradeAccount.ps1' - 'Invoke-EgressCheck.ps1' - 'Invoke-Encode.ps1' - 'Invoke-EventViewer.ps1' - 'Invoke-Eyewitness.ps1' - 'Invoke-FakeLogonScreen.ps1' - 'Invoke-Farmer.ps1' - 'Invoke-Get-RBCD-Threaded.ps1' - 'Invoke-Gopher.ps1' - 'Invoke-Grouper2.ps1' - 'Invoke-Grouper3.ps1' - 'Invoke-HandleKatz.ps1' - 'Invoke-Interceptor.ps1' - 'Invoke-Internalmonologue.ps1' - 'Invoke-Inveigh.ps1' - 'Invoke-InveighRelay.ps1' - 'Invoke-JSRatRegsvr.ps1' - 'Invoke-JSRatRundll.ps1' - 'Invoke-KrbRelay.ps1' - 'Invoke-KrbRelayUp.ps1' - 'Invoke-LdapSignCheck.ps1' - 'Invoke-Lockless.ps1' - 'Invoke-MalSCCM.ps1' - 'Invoke-Mimikatz.ps1' - 'Invoke-MimikatzWDigestDowngrade.ps1' - 'Invoke-Mimikittenz.ps1' - 'Invoke-MITM6.ps1' - 'Invoke-NanoDump.ps1' - 'Invoke-NetRipper.ps1' - 'Invoke-NetworkRelay.ps1' - 'Invoke-NinjaCopy.ps1' - 'Invoke-OxidResolver.ps1' - 'Invoke-P0wnedshell.ps1' - 'Invoke-P0wnedshellx86.ps1' - 'Invoke-Paranoia.ps1' - 'Invoke-PortScan.ps1' - 'Invoke-PoshRatHttp.ps1' - 'Invoke-PoshRatHttps.ps1' - 'Invoke-PostExfil.ps1' - 'Invoke-PowerDump.ps1' - 'Invoke-PowerDPAPI.ps1' - 'Invoke-PowerShellIcmp.ps1' - 'Invoke-PowerShellTCP.ps1' - 'Invoke-PowerShellTcpOneLine.ps1' - 'Invoke-PowerShellTcpOneLineBind.ps1' - 'Invoke-PowerShellUdp.ps1' - 'Invoke-PowerShellUdpOneLine.ps1' - 'Invoke-PowerShellWMI.ps1' - 'Invoke-PowerThIEf.ps1' - 'Invoke-PPLDump.ps1' - 'Invoke-Prasadhak.ps1' - 'Invoke-PsExec.ps1' - 'Invoke-PsGcat.ps1' - 'Invoke-PsGcatAgent.ps1' - 'Invoke-PSInject.ps1' - 'Invoke-PsUaCme.ps1' - 'Invoke-ReflectivePEInjection.ps1' - 'Invoke-ReverseDNSLookup.ps1' - 'Invoke-Rubeus.ps1' - 'Invoke-RunAs.ps1' - 'Invoke-SafetyKatz.ps1' - 'Invoke-SauronEye.ps1' - 'Invoke-SCShell.ps1' - 'Invoke-Seatbelt.ps1' - 'Invoke-ServiceAbuse.ps1' - 'Invoke-SessionGopher.ps1' - 'Invoke-ShellCode.ps1' - 'Invoke-SMBScanner.ps1' - 'Invoke-Snaffler.ps1' - 'Invoke-Spoolsample.ps1' - 'Invoke-SSHCommand.ps1' - 'Invoke-SSIDExfil.ps1' - 'Invoke-StandIn.ps1' - 'Invoke-StickyNotesExtract.ps1' - 'Invoke-Tater.ps1' - 'Invoke-Thunderfox.ps1' - 'Invoke-ThunderStruck.ps1' - 'Invoke-TokenManipulation.ps1' - 'Invoke-Tokenvator.ps1' - 'Invoke-TotalExec.ps1' - 'Invoke-UrbanBishop.ps1' - 'Invoke-UserHunter.ps1' - 'Invoke-VoiceTroll.ps1' - 'Invoke-Whisker.ps1' - 'Invoke-WinEnum.ps1' - 'Invoke-winPEAS.ps1' - 'Invoke-WireTap.ps1' - 'Invoke-WmiCommand.ps1' - 'Invoke-WScriptBypassUAC.ps1' - 'Invoke-Zerologon.ps1' - 'Keylogger.ps1' - 'MailRaider.ps1' - 'New-HoneyHash.ps1' - 'OfficeMemScraper.ps1' - 'Offline_Winpwn.ps1' - 'Out-CHM.ps1' - 'Out-DnsTxt.ps1' - 'Out-Excel.ps1' - 'Out-HTA.ps1' - 'Out-Java.ps1' - 'Out-JS.ps1' - 'Out-Minidump.ps1' - 'Out-RundllCommand.ps1' - 'Out-SCF.ps1' - 'Out-SCT.ps1' - 'Out-Shortcut.ps1' - 'Out-WebQuery.ps1' - 'Out-Word.ps1' - 'Parse_Keys.ps1' - 'Port-Scan.ps1' - 'PowerBreach.ps1' - 'powercat.ps1' - 'PowerRunAsSystem.psm1' - 'PowerSharpPack.ps1' - 'PowerUp.ps1' - 'PowerUpSQL.ps1' - 'PowerView.ps1' - 'PSAsyncShell.ps1' - 'RemoteHashRetrieval.ps1' - 'Remove-Persistence.ps1' - 'Remove-PoshRat.ps1' - 'Remove-Update.ps1' - 'Run-EXEonRemote.ps1' - 'Schtasks-Backdoor.ps1' - 'Set-DCShadowPermissions.ps1' - 'Set-MacAttribute.ps1' - 'Set-RemotePSRemoting.ps1' - 'Set-RemoteWMI.ps1' - 'Set-Wallpaper.ps1' - 'Show-TargetScreen.ps1' - 'Speak.ps1' - 'Start-CaptureServer.ps1' - 'Start-WebcamRecorder.ps1' - 'StringToBase64.ps1' - 'TexttoExe.ps1' - 'Veeam-Get-Creds.ps1' - 'VolumeShadowCopyTools.ps1' - 'WinPwn.ps1' - 'WSUSpendu.ps1' selection_invoke_sharp: ContextInfo|contains|all: - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants - '.ps1' condition: 1 of selection_* falsepositives: - Unknown level: high