title: Malicious PowerShell Commandlets id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 status: experimental description: Detects Commandlet names from well-known PowerShell exploitation frameworks references: - https://adsecurity.org/?p=2921 tags: - attack.execution - attack.t1059.001 author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update) date: 2017/03/05 modified: 2021/11/29 logsource: product: windows category: ps_script definition: Script Block Logging must be enable detection: select_Malicious: ScriptBlockText|contains: - 'Invoke-DllInjection' - 'Invoke-Shellcode' - 'Invoke-WmiCommand' - 'Get-GPPPassword' - 'Get-Keystrokes' - 'Get-TimedScreenshot' - 'Get-VaultCredential' - 'Invoke-CredentialInjection' - 'Invoke-Mimikatz' - 'Invoke-NinjaCopy' - 'Invoke-TokenManipulation' - 'Out-Minidump' - 'VolumeShadowCopyTools' - 'Invoke-ReflectivePEInjection' - 'Invoke-UserHunter' - 'Find-GPOLocation' - 'Invoke-ACLScanner' - 'Invoke-DowngradeAccount' - 'Get-ServiceUnquoted' - 'Get-ServiceFilePermission' - 'Get-ServicePermission' - 'Invoke-ServiceAbuse' - 'Install-ServiceBinary' - 'Get-RegAutoLogon' - 'Get-VulnAutoRun' - 'Get-VulnSchTask' - 'Get-UnattendedInstallFile' - 'Get-ApplicationHost' - 'Get-RegAlwaysInstallElevated' - 'Get-Unconstrained' - 'Add-RegBackdoor' - 'Add-ScrnSaveBackdoor' - 'Gupt-Backdoor' - 'Invoke-ADSBackdoor' - 'Enabled-DuplicateToken' - 'Invoke-PsUaCme' - 'Remove-Update' - 'Check-VM' - 'Get-LSASecret' - 'Get-PassHashes' - 'Show-TargetScreen' - 'Port-Scan' - 'Invoke-PoshRatHttp' - 'Invoke-PowerShellTCP' - 'Invoke-PowerShellWMI' - 'Add-Exfiltration' - 'Add-Persistence' - 'Do-Exfiltration' - 'Start-CaptureServer' - 'Get-ChromeDump' - 'Get-ClipboardContents' - 'Get-FoxDump' - 'Get-IndexedItem' - 'Get-Screenshot' - 'Invoke-Inveigh' - 'Invoke-NetRipper' - 'Invoke-EgressCheck' - 'Invoke-PostExfil' - 'Invoke-PSInject' - 'Invoke-RunAs' - 'MailRaider' - 'New-HoneyHash' - 'Set-MacAttribute' - 'Invoke-DCSync' - 'Invoke-PowerDump' - 'Exploit-Jboss' - 'Invoke-ThunderStruck' - 'Invoke-VoiceTroll' - 'Set-Wallpaper' - 'Invoke-InveighRelay' - 'Invoke-PsExec' - 'Invoke-SSHCommand' - 'Get-SecurityPackages' - 'Install-SSP' - 'Invoke-BackdoorLNK' - 'PowerBreach' - 'Get-SiteListPassword' - 'Get-System' - 'Invoke-BypassUAC' - 'Invoke-Tater' - 'Invoke-WScriptBypassUAC' - 'PowerUp' - 'PowerView' - 'Get-RickAstley' - 'Find-Fruit' - 'HTTP-Login' - 'Find-TrustedDocuments' - 'Invoke-Paranoia' - 'Invoke-WinEnum' - 'Invoke-ARPScan' - 'Invoke-PortScan' - 'Invoke-ReverseDNSLookup' - 'Invoke-SMBScanner' - 'Invoke-Mimikittenz' - 'Invoke-AllChecks' false_positives: ScriptBlockText|contains: - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1 # false positive form Amazon EC2 condition: select_Malicious and not false_positives falsepositives: - Unknown level: high