title: Malicious PowerShell Commandlet Names id: f331aa1f-8c53-4fc3-b083-cc159bc971cb status: experimental description: Detects the creation of known powershell scripts for exploitation references: - https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml tags: - attack.execution - attack.t1086 # an old one - attack.t1059.001 author: Markus Neis date: 2018/04/07 logsource: category: file_event product: windows detection: selection: TargetFilename|endswith: - '\Invoke-DllInjection.ps1' - '\Invoke-WmiCommand.ps1' - '\Get-GPPPassword.ps1' - '\Get-Keystrokes.ps1' - '\Get-VaultCredential.ps1' - '\Invoke-CredentialInjection.ps1' - '\Invoke-Mimikatz.ps1' - '\Invoke-NinjaCopy.ps1' - '\Invoke-TokenManipulation.ps1' - '\Out-Minidump.ps1' - '\VolumeShadowCopyTools.ps1' - '\Invoke-ReflectivePEInjection.ps1' - '\Get-TimedScreenshot.ps1' - '\Invoke-UserHunter.ps1' - '\Find-GPOLocation.ps1' - '\Invoke-ACLScanner.ps1' - '\Invoke-DowngradeAccount.ps1' - '\Get-ServiceUnquoted.ps1' - '\Get-ServiceFilePermission.ps1' - '\Get-ServicePermission.ps1' - '\Invoke-ServiceAbuse.ps1' - '\Install-ServiceBinary.ps1' - '\Get-RegAutoLogon.ps1' - '\Get-VulnAutoRun.ps1' - '\Get-VulnSchTask.ps1' - '\Get-UnattendedInstallFile.ps1' - '\Get-WebConfig.ps1' - '\Get-ApplicationHost.ps1' - '\Get-RegAlwaysInstallElevated.ps1' - '\Get-Unconstrained.ps1' - '\Add-RegBackdoor.ps1' - '\Add-ScrnSaveBackdoor.ps1' - '\Gupt-Backdoor.ps1' - '\Invoke-ADSBackdoor.ps1' - '\Enabled-DuplicateToken.ps1' - '\Invoke-PsUaCme.ps1' - '\Remove-Update.ps1' - '\Check-VM.ps1' - '\Get-LSASecret.ps1' - '\Get-PassHashes.ps1' - '\Show-TargetScreen.ps1' - '\Port-Scan.ps1' - '\Invoke-PoshRatHttp.ps1' - '\Invoke-PowerShellTCP.ps1' - '\Invoke-PowerShellWMI.ps1' - '\Add-Exfiltration.ps1' - '\Add-Persistence.ps1' - '\Do-Exfiltration.ps1' - '\Start-CaptureServer.ps1' - '\Invoke-ShellCode.ps1' - '\Get-ChromeDump.ps1' - '\Get-ClipboardContents.ps1' - '\Get-FoxDump.ps1' - '\Get-IndexedItem.ps1' - '\Get-Screenshot.ps1' - '\Invoke-Inveigh.ps1' - '\Invoke-NetRipper.ps1' - '\Invoke-EgressCheck.ps1' - '\Invoke-PostExfil.ps1' - '\Invoke-PSInject.ps1' - '\Invoke-RunAs.ps1' - '\MailRaider.ps1' - '\New-HoneyHash.ps1' - '\Set-MacAttribute.ps1' - '\Invoke-DCSync.ps1' - '\Invoke-PowerDump.ps1' - '\Exploit-Jboss.ps1' - '\Invoke-ThunderStruck.ps1' - '\Invoke-VoiceTroll.ps1' - '\Set-Wallpaper.ps1' - '\Invoke-InveighRelay.ps1' - '\Invoke-PsExec.ps1' - '\Invoke-SSHCommand.ps1' - '\Get-SecurityPackages.ps1' - '\Install-SSP.ps1' - '\Invoke-BackdoorLNK.ps1' - '\PowerBreach.ps1' - '\Get-SiteListPassword.ps1' - '\Get-System.ps1' - '\Invoke-BypassUAC.ps1' - '\Invoke-Tater.ps1' - '\Invoke-WScriptBypassUAC.ps1' - '\PowerUp.ps1' - '\PowerView.ps1' - '\Get-RickAstley.ps1' - '\Find-Fruit.ps1' - '\HTTP-Login.ps1' - '\Find-TrustedDocuments.ps1' - '\Invoke-Paranoia.ps1' - '\Invoke-WinEnum.ps1' - '\Invoke-ARPScan.ps1' - '\Invoke-PortScan.ps1' - '\Invoke-ReverseDNSLookup.ps1' - '\Invoke-SMBScanner.ps1' - '\Invoke-Mimikittenz.ps1' condition: selection falsepositives: - Penetration Tests level: high