title: Malicious PowerShell Keywords
status: experimental
description: Detects keywords from well-known PowerShell exploitation frameworks
modified: 2019/01/22
references:
    - https://adsecurity.org/?p=2921
tags:
    - attack.execution
    - attack.t1086
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
    product: windows
    service: powershell
    definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
    keywords:
        - AdjustTokenPrivileges
        - IMAGE_NT_OPTIONAL_HDR64_MAGIC
        - Microsoft.Win32.UnsafeNativeMethods
        - ReadProcessMemory.Invoke
        - SE_PRIVILEGE_ENABLED
        - LSA_UNICODE_STRING
        - MiniDumpWriteDump
        - PAGE_EXECUTE_READ
        - SECURITY_DELEGATION
        - TOKEN_ADJUST_PRIVILEGES
        - TOKEN_ALL_ACCESS
        - TOKEN_ASSIGN_PRIMARY
        - TOKEN_DUPLICATE
        - TOKEN_ELEVATION
        - TOKEN_IMPERSONATE
        - TOKEN_INFORMATION_CLASS
        - TOKEN_PRIVILEGES
        - TOKEN_QUERY
        - Metasploit
        - Mimikatz
    condition: keywords
falsepositives:
    - Penetration tests
level: high