title: Malicious PowerShell Scripts - PoshModule id: 41025fd7-0466-4650-a813-574aaacbe7f4 related: - id: f331aa1f-8c53-4fc3-b083-cc159bc971cb type: similar - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 type: obsoletes status: experimental description: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance references: - https://github.com/PowerShellMafia/PowerSploit - https://github.com/NetSPI/PowerUpSQL - https://github.com/CsEnox/EventViewer-UACBypass - https://github.com/AlsidOfficial/WSUSpendu/ - https://github.com/nettitude/Invoke-PowerThIEf - https://github.com/S3cur3Th1sSh1t/WinPwn - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1 - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1 - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec - https://github.com/HarmJ0y/DAMP - https://github.com/samratashok/nishang - https://github.com/DarkCoderSc/PowerRunAsSystem/ - https://github.com/besimorhino/powercat author: frack113, Nasreddine Bencherchali date: 2023/01/20 tags: - attack.execution - attack.t1059.001 logsource: product: windows category: ps_module definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection: ContextInfo|contains: - '\Add-ConstrainedDelegationBackdoor.ps1' - '\Add-Exfiltration.ps1' - '\Add-Persistence.ps1' - '\Add-RegBackdoor.ps1' - '\Add-RemoteRegBackdoor.ps1' - '\Add-ScrnSaveBackdoor.ps1' - '\Check-VM.ps1' - '\ConvertTo-ROT13.ps1' - '\Copy-VSS.ps1' - '\Create-MultipleSessions.ps1' - '\DNS_TXT_Pwnage.ps1' - '\Do-Exfiltration.ps1' - '\DomainPasswordSpray.ps1' - '\Download_Execute.ps1' - '\Download-Execute-PS.ps1' - '\Enabled-DuplicateToken.ps1' - '\Enable-DuplicateToken.ps1' - '\Execute-Command-MSSQL.ps1' - '\Execute-DNSTXT-Code.ps1' - '\Execute-OnTime.ps1' - '\ExetoText.ps1' - '\Exploit-Jboss.ps1' - '\Find-AVSignature.ps1' - '\Find-Fruit.ps1' - '\Find-GPOLocation.ps1' - '\Find-TrustedDocuments.ps1' - '\FireBuster.ps1' - '\FireListener.ps1' - '\Get-ApplicationHost.ps1' - '\Get-ChromeDump.ps1' - '\Get-ClipboardContents.ps1' - '\Get-ComputerDetail.ps1' - '\Get-FoxDump.ps1' - '\Get-GPPAutologon.ps1' - '\Get-GPPPassword.ps1' - '\Get-IndexedItem.ps1' - '\Get-Keystrokes.ps1' - '\Get-LSASecret.ps1' - '\Get-MicrophoneAudio.ps1' - '\Get-PassHashes.ps1' - '\Get-PassHints.ps1' - '\Get-RegAlwaysInstallElevated.ps1' - '\Get-RegAutoLogon.ps1' - '\Get-RickAstley.ps1' - '\Get-Screenshot.ps1' - '\Get-SecurityPackages.ps1' - '\Get-ServiceFilePermission.ps1' - '\Get-ServicePermission.ps1' - '\Get-ServiceUnquoted.ps1' - '\Get-SiteListPassword.ps1' - '\Get-System.ps1' - '\Get-TimedScreenshot.ps1' - '\Get-UnattendedInstallFile.ps1' - '\Get-Unconstrained.ps1' - '\Get-USBKeystrokes.ps1' - '\Get-VaultCredential.ps1' - '\Get-VulnAutoRun.ps1' - '\Get-VulnSchTask.ps1' - '\Get-WebConfig.ps1' - '\Get-WebCredentials.ps1' - '\Get-WLAN-Keys.ps1' - '\Gupt-Backdoor.ps1' - '\HTTP-Backdoor.ps1' - '\HTTP-Login.ps1' - '\Install-ServiceBinary.ps1' - '\Install-SSP.ps1' - '\Invoke-ACLScanner.ps1' - '\Invoke-ADSBackdoor.ps1' - '\Invoke-AmsiBypass.ps1' - '\Invoke-ARPScan.ps1' - '\Invoke-BackdoorLNK.ps1' - '\Invoke-BadPotato.ps1' - '\Invoke-BetterSafetyKatz.ps1' - '\Invoke-BruteForce.ps1' - '\Invoke-BypassUAC.ps1' - '\Invoke-Carbuncle.ps1' - '\Invoke-Certify.ps1' - '\Invoke-ConPtyShell.ps1' - '\Invoke-CredentialInjection.ps1' - '\Invoke-CredentialsPhish.ps1' - '\Invoke-DAFT.ps1' - '\Invoke-DCSync.ps1' - '\Invoke-Decode.ps1' - '\Invoke-DinvokeKatz.ps1' - '\Invoke-DllInjection.ps1' - '\Invoke-DowngradeAccount.ps1' - '\Invoke-EgressCheck.ps1' - '\Invoke-Encode.ps1' - '\Invoke-EventViewer.ps1' - '\Invoke-Eyewitness.ps1' - '\Invoke-FakeLogonScreen.ps1' - '\Invoke-Farmer.ps1' - '\Invoke-Get-RBCD-Threaded.ps1' - '\Invoke-Gopher.ps1' - '\Invoke-Grouper2.ps1' - '\Invoke-Grouper3.ps1' - '\Invoke-HandleKatz.ps1' - '\Invoke-Interceptor.ps1' - '\Invoke-Internalmonologue.ps1' - '\Invoke-Inveigh.ps1' - '\Invoke-InveighRelay.ps1' - '\Invoke-JSRatRegsvr.ps1' - '\Invoke-JSRatRundll.ps1' - '\Invoke-KrbRelay.ps1' - '\Invoke-KrbRelayUp.ps1' - '\Invoke-LdapSignCheck.ps1' - '\Invoke-Lockless.ps1' - '\Invoke-MalSCCM.ps1' - '\Invoke-Mimikatz.ps1' - '\Invoke-MimikatzWDigestDowngrade.ps1' - '\Invoke-Mimikittenz.ps1' - '\Invoke-MITM6.ps1' - '\Invoke-NanoDump.ps1' - '\Invoke-NetRipper.ps1' - '\Invoke-NetworkRelay.ps1' - '\Invoke-NinjaCopy.ps1' - '\Invoke-OxidResolver.ps1' - '\Invoke-P0wnedshell.ps1' - '\Invoke-P0wnedshellx86.ps1' - '\Invoke-Paranoia.ps1' - '\Invoke-PortScan.ps1' - '\Invoke-PoshRatHttp.ps1' - '\Invoke-PoshRatHttps.ps1' - '\Invoke-PostExfil.ps1' - '\Invoke-PowerDump.ps1' - '\Invoke-PowerShellIcmp.ps1' - '\Invoke-PowerShellTCP.ps1' - '\Invoke-PowerShellTcpOneLine.ps1' - '\Invoke-PowerShellTcpOneLineBind.ps1' - '\Invoke-PowerShellUdp.ps1' - '\Invoke-PowerShellUdpOneLine.ps1' - '\Invoke-PowerShellWMI.ps1' - '\Invoke-PowerThIEf.ps1' - '\Invoke-PPLDump.ps1' - '\Invoke-Prasadhak.ps1' - '\Invoke-PsExec.ps1' - '\Invoke-PsGcat.ps1' - '\Invoke-PsGcatAgent.ps1' - '\Invoke-PSInject.ps1' - '\Invoke-PsUaCme.ps1' - '\Invoke-ReflectivePEInjection.ps1' - '\Invoke-ReverseDNSLookup.ps1' - '\Invoke-Rubeus.ps1' - '\Invoke-RunAs.ps1' - '\Invoke-SafetyKatz.ps1' - '\Invoke-SauronEye.ps1' - '\Invoke-SCShell.ps1' - '\Invoke-Seatbelt.ps1' - '\Invoke-ServiceAbuse.ps1' - '\Invoke-SessionGopher.ps1' - '\Invoke-SharpAllowedToAct.ps1' - '\Invoke-SharpBlock.ps1' - '\Invoke-SharpBypassUAC.ps1' - '\Invoke-SharpChromium.ps1' - '\Invoke-SharpClipboard.ps1' - '\Invoke-SharpCloud.ps1' - '\Invoke-SharpDPAPI.ps1' - '\Invoke-SharpDump.ps1' - '\Invoke-SharPersist.ps1' - '\Invoke-SharpGPOAbuse.ps1' - '\Invoke-SharpGPO-RemoteAccessPolicies.ps1' - '\Invoke-SharpHandler.ps1' - '\Invoke-SharpHide.ps1' - '\Invoke-Sharphound2.ps1' - '\Invoke-Sharphound3.ps1' - '\Invoke-SharpHound4.ps1' - '\Invoke-SharpImpersonation.ps1' - '\Invoke-SharpImpersonationNoSpace.ps1' - '\Invoke-SharpKatz.ps1' - '\Invoke-SharpLdapRelayScan.ps1' - '\Invoke-Sharplocker.ps1' - '\Invoke-SharpLoginPrompt.ps1' - '\Invoke-SharpMove.ps1' - '\Invoke-SharpPrinter.ps1' - '\Invoke-SharpPrintNightmare.ps1' - '\Invoke-SharpRDP.ps1' - '\Invoke-SharpSCCM.ps1' - '\Invoke-SharpSecDump.ps1' - '\Invoke-Sharpshares.ps1' - '\Invoke-SharpSniper.ps1' - '\Invoke-SharpSploit.ps1' - '\Invoke-Sharpsploit_nomimi.ps1' - '\Invoke-SharpSpray.ps1' - '\Invoke-SharpSSDP.ps1' - '\Invoke-SharpStay.ps1' - '\Invoke-SharpUp.ps1' - '\Invoke-Sharpview.ps1' - '\Invoke-SharpWatson.ps1' - '\Invoke-Sharpweb.ps1' - '\Invoke-SharpWSUS.ps1' - '\Invoke-ShellCode.ps1' - '\Invoke-SMBScanner.ps1' - '\Invoke-Snaffler.ps1' - '\Invoke-Spoolsample.ps1' - '\Invoke-SSHCommand.ps1' - '\Invoke-SSIDExfil.ps1' - '\Invoke-StandIn.ps1' - '\Invoke-StickyNotesExtract.ps1' - '\Invoke-Tater.ps1' - '\Invoke-Thunderfox.ps1' - '\Invoke-ThunderStruck.ps1' - '\Invoke-TokenManipulation.ps1' - '\Invoke-Tokenvator.ps1' - '\Invoke-TotalExec.ps1' - '\Invoke-UrbanBishop.ps1' - '\Invoke-UserHunter.ps1' - '\Invoke-VoiceTroll.ps1' - '\Invoke-Whisker.ps1' - '\Invoke-WinEnum.ps1' - '\Invoke-winPEAS.ps1' - '\Invoke-WireTap.ps1' - '\Invoke-WmiCommand.ps1' - '\Invoke-WScriptBypassUAC.ps1' - '\Invoke-Zerologon.ps1' - '\Keylogger.ps1' - '\MailRaider.ps1' - '\New-HoneyHash.ps1' - '\OfficeMemScraper.ps1' - '\Offline_Winpwn.ps1' - '\Out-CHM.ps1' - '\Out-DnsTxt.ps1' - '\Out-Excel.ps1' - '\Out-HTA.ps1' - '\Out-Java.ps1' - '\Out-JS.ps1' - '\Out-Minidump.ps1' - '\Out-RundllCommand.ps1' - '\Out-SCF.ps1' - '\Out-SCT.ps1' - '\Out-Shortcut.ps1' - '\Out-WebQuery.ps1' - '\Out-Word.ps1' - '\Parse_Keys.ps1' - '\Port-Scan.ps1' - '\PowerBreach.ps1' - '\powercat.ps1' - '\PowerRunAsSystem.psm1' - '\PowerSharpPack.ps1' - '\PowerUp.ps1' - '\PowerUpSQL.ps1' - '\PowerView.ps1' - '\PSAsyncShell.ps1' - '\RemoteHashRetrieval.ps1' - '\Remove-Persistence.ps1' - '\Remove-PoshRat.ps1' - '\Remove-Update.ps1' - '\Run-EXEonRemote.ps1' - '\Set-DCShadowPermissions.ps1' - '\Set-MacAttribute.ps1' - '\Set-RemotePSRemoting.ps1' - '\Set-RemoteWMI.ps1' - '\Set-Wallpaper.ps1' - '\Show-TargetScreen.ps1' - '\Speak.ps1' - '\Start-CaptureServer.ps1' - '\Start-WebcamRecorder.ps1' - '\StringToBase64.ps1' - '\TexttoExe.ps1' - '\VolumeShadowCopyTools.ps1' - '\WinPwn.ps1' - '\WSUSpendu.ps1' condition: selection falsepositives: - Unknown level: high