title: Malicious PowerShell Commandlets - ScriptBlock id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 related: - id: f331aa1f-8c53-4fc3-b083-cc159bc971cb type: similar - id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf type: obsoletes - id: 83083ac6-1816-4e76-97d7-59af9a9ae46e type: obsoletes status: test description: Detects Commandlet names from well-known PowerShell exploitation frameworks references: - https://adsecurity.org/?p=2921 - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1 - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1 - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1 - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html - https://github.com/HarmJ0y/DAMP author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer date: 2017/03/05 modified: 2023/01/05 tags: - attack.execution - attack.discovery - attack.t1482 - attack.t1087 - attack.t1087.001 - attack.t1087.002 - attack.t1069.001 - attack.t1069.002 - attack.t1069 - attack.t1059.001 logsource: product: windows category: ps_script definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: - 'Add-Exfiltration' - 'Add-Persistence' - 'Add-RegBackdoor' - 'Add-RemoteRegBackdoor' - 'Add-ScrnSaveBackdoor' - 'Check-VM' - 'ConvertTo-Rc4ByteStream' - 'Decrypt-Hash' - 'Do-Exfiltration' - 'Enabled-DuplicateToken' - 'Exploit-Jboss' - 'Find-Fruit' - 'Find-GPOLocation' - 'Find-TrustedDocuments' - 'Get-ApplicationHost' - 'Get-ChromeDump' - 'Get-ClipboardContents' - 'Get-FoxDump' - 'Get-GPPPassword' - 'Get-IndexedItem' - 'Get-Keystrokes' - 'Get-LSASecret' - 'Get-PassHashes' - 'Get-RegAlwaysInstallElevated' - 'Get-RegAutoLogon' - 'Get-RemoteBootKey' - 'Get-RemoteCachedCredential' - 'Get-RemoteLocalAccountHash' - 'Get-RemoteLSAKey' - 'Get-RemoteMachineAccountHash' - 'Get-RemoteNLKMKey' - 'Get-RickAstley' - 'Get-Screenshot' - 'Get-SecurityPackages' - 'Get-ServiceFilePermission' - 'Get-ServicePermission' - 'Get-ServiceUnquoted' - 'Get-SiteListPassword' - 'Get-System' - 'Get-TimedScreenshot' - 'Get-UnattendedInstallFile' - 'Get-Unconstrained' - 'Get-USBKeystrokes' - 'Get-VaultCredential' - 'Get-VulnAutoRun' - 'Get-VulnSchTask' - 'Gupt-Backdoor' - 'HTTP-Login' - 'Install-ServiceBinary' - 'Install-SSP' - 'Invoke-ACLScanner' - 'Invoke-ADSBackdoor' - 'Invoke-AllChecks' - 'Invoke-ARPScan' - 'Invoke-AzureHound' - 'Invoke-BackdoorLNK' - 'Invoke-BadPotato' - 'Invoke-BetterSafetyKatz' - 'Invoke-BypassUAC' - 'Invoke-Carbuncle' - 'Invoke-Certify' - 'Invoke-ConPtyShell' - 'Invoke-CredentialInjection' - 'Invoke-DAFT' - 'Invoke-DCSync' - 'Invoke-DinvokeKatz' - 'Invoke-DllInjection' - 'Invoke-DomainPasswordSpray' - 'Invoke-DowngradeAccount' - 'Invoke-EgressCheck' - 'Invoke-Eyewitness' - 'Invoke-FakeLogonScreen' - 'Invoke-Farmer' - 'Invoke-Get-RBCD-Threaded' - 'Invoke-Gopher' - 'Invoke-Grouper' # cover Invoke-GrouperX - 'Invoke-HandleKatz' - 'Invoke-Internalmonologue' - 'Invoke-Inveigh' - 'Invoke-InveighRelay' - 'Invoke-KrbRelay' - 'Invoke-LdapSignCheck' - 'Invoke-Lockless' - 'Invoke-MalSCCM' - 'Invoke-Mimikatz' - 'Invoke-Mimikittenz' - 'Invoke-MITM6' - 'Invoke-NanoDump' - 'Invoke-NetRipper' - 'Invoke-Nightmare' - 'Invoke-NinjaCopy' - 'Invoke-OfficeScrape' - 'Invoke-OxidResolver' - 'Invoke-P0wnedshell' - 'Invoke-Paranoia' - 'Invoke-PortScan' - 'Invoke-PoshRatHttp' - 'Invoke-PostExfil' - 'Invoke-PowerDump' - 'Invoke-PowerShellTCP' - 'Invoke-PowerShellWMI' - 'Invoke-PPLDump' - 'Invoke-PsExec' - 'Invoke-PSInject' - 'Invoke-PsUaCme' - 'Invoke-ReflectivePEInjection' - 'Invoke-ReverseDNSLookup' - 'Invoke-Rubeus' - 'Invoke-RunAs' - 'Invoke-SafetyKatz' - 'Invoke-SauronEye' - 'Invoke-SCShell' - 'Invoke-Seatbelt' - 'Invoke-ServiceAbuse' - 'Invoke-ShadowSpray' - 'Invoke-SharpAllowedToAct' - 'Invoke-SharpBlock' - 'Invoke-SharpBypassUAC' - 'Invoke-SharpChromium' - 'Invoke-SharpClipboard' - 'Invoke-SharpCloud' - 'Invoke-SharpDPAPI' - 'Invoke-SharpDump' - 'Invoke-SharPersist' - 'Invoke-SharpGPOAbuse' - 'Invoke-SharpGPO-RemoteAccessPolicies' - 'Invoke-SharpHandler' - 'Invoke-SharpHide' - 'Invoke-Sharphound' # cover Invoke-SharpHound2, Invoke-SharpHound3,. - 'Invoke-SharpImpersonation' - 'Invoke-SharpImpersonationNoSpace' - 'Invoke-SharpKatz' - 'Invoke-SharpLdapRelayScan' - 'Invoke-Sharplocker' - 'Invoke-SharpLoginPrompt' - 'Invoke-SharpMove' - 'Invoke-SharpPrinter' - 'Invoke-SharpPrintNightmare' - 'Invoke-SharpRDP' - 'Invoke-SharpSCCM' - 'Invoke-SharpSecDump' - 'Invoke-Sharpshares' - 'Invoke-SharpSniper' - 'Invoke-SharpSploit' - 'Invoke-SharpSpray' - 'Invoke-SharpSSDP' - 'Invoke-SharpStay' - 'Invoke-SharpUp' - 'Invoke-Sharpview' - 'Invoke-SharpWatson' - 'Invoke-Sharpweb' - 'Invoke-SharpWSUS' - 'Invoke-Shellcode' - 'Invoke-SMBScanner' - 'Invoke-Snaffler' - 'Invoke-Spoolsample' - 'Invoke-SpraySinglePassword' - 'Invoke-SSHCommand' - 'Invoke-StandIn' - 'Invoke-StickyNotesExtract' - 'Invoke-Tater' - 'Invoke-Thunderfox' - 'Invoke-ThunderStruck' - 'Invoke-TokenManipulation' - 'Invoke-Tokenvator' - 'Invoke-TotalExec' - 'Invoke-UrbanBishop' - 'Invoke-UserHunter' - 'Invoke-VoiceTroll' - 'Invoke-Whisker' - 'Invoke-WinEnum' - 'Invoke-winPEAS' - 'Invoke-WireTap' - 'Invoke-WmiCommand' - 'Invoke-WScriptBypassUAC' - 'Invoke-Zerologon' - 'MailRaider' - 'New-HoneyHash' - 'New-InMemoryModule' - 'Out-Minidump' - 'Port-Scan' - 'PowerBreach' - 'PowerUp' - 'PowerView' - 'Remove-Update' - 'Set-MacAttribute' - 'Set-Wallpaper' - 'Show-TargetScreen' - 'Start-CaptureServer' - 'Start-WebcamRecorder' - 'VolumeShadowCopyTools' filter_1: ScriptBlockText|contains: - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\ # false positive form Amazon EC2 filter_2: ScriptBlockText|startswith: '# Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved' condition: selection and not 1 of filter_* falsepositives: - Unknown level: high