Nasreddine Bencherchali
305 lines
12 KiB
YAML
305 lines
12 KiB
YAML
title: Malicious PowerShell Scripts - PoshModule
|
|
id: 41025fd7-0466-4650-a813-574aaacbe7f4
|
|
related:
|
|
- id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
|
|
type: similar
|
|
- id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
|
|
type: obsoletes
|
|
status: experimental
|
|
description: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
|
|
references:
|
|
- https://github.com/PowerShellMafia/PowerSploit
|
|
- https://github.com/NetSPI/PowerUpSQL
|
|
- https://github.com/CsEnox/EventViewer-UACBypass
|
|
- https://github.com/AlsidOfficial/WSUSpendu/
|
|
- https://github.com/nettitude/Invoke-PowerThIEf
|
|
- https://github.com/S3cur3Th1sSh1t/WinPwn
|
|
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
|
|
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
|
|
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
|
|
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
|
|
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
|
|
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
|
|
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
|
|
- https://github.com/HarmJ0y/DAMP
|
|
- https://github.com/samratashok/nishang
|
|
- https://github.com/DarkCoderSc/PowerRunAsSystem/
|
|
- https://github.com/besimorhino/powercat
|
|
author: frack113, Nasreddine Bencherchali
|
|
date: 2023/01/20
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
logsource:
|
|
product: windows
|
|
category: ps_module
|
|
definition: 'Requirements: PowerShell Module Logging must be enabled'
|
|
detection:
|
|
selection:
|
|
ContextInfo|contains:
|
|
- '\Add-ConstrainedDelegationBackdoor.ps1'
|
|
- '\Add-Exfiltration.ps1'
|
|
- '\Add-Persistence.ps1'
|
|
- '\Add-RegBackdoor.ps1'
|
|
- '\Add-RemoteRegBackdoor.ps1'
|
|
- '\Add-ScrnSaveBackdoor.ps1'
|
|
- '\Check-VM.ps1'
|
|
- '\ConvertTo-ROT13.ps1'
|
|
- '\Copy-VSS.ps1'
|
|
- '\Create-MultipleSessions.ps1'
|
|
- '\DNS_TXT_Pwnage.ps1'
|
|
- '\Do-Exfiltration.ps1'
|
|
- '\DomainPasswordSpray.ps1'
|
|
- '\Download_Execute.ps1'
|
|
- '\Download-Execute-PS.ps1'
|
|
- '\Enabled-DuplicateToken.ps1'
|
|
- '\Enable-DuplicateToken.ps1'
|
|
- '\Execute-Command-MSSQL.ps1'
|
|
- '\Execute-DNSTXT-Code.ps1'
|
|
- '\Execute-OnTime.ps1'
|
|
- '\ExetoText.ps1'
|
|
- '\Exploit-Jboss.ps1'
|
|
- '\Find-AVSignature.ps1'
|
|
- '\Find-Fruit.ps1'
|
|
- '\Find-GPOLocation.ps1'
|
|
- '\Find-TrustedDocuments.ps1'
|
|
- '\FireBuster.ps1'
|
|
- '\FireListener.ps1'
|
|
- '\Get-ApplicationHost.ps1'
|
|
- '\Get-ChromeDump.ps1'
|
|
- '\Get-ClipboardContents.ps1'
|
|
- '\Get-ComputerDetail.ps1'
|
|
- '\Get-FoxDump.ps1'
|
|
- '\Get-GPPAutologon.ps1'
|
|
- '\Get-GPPPassword.ps1'
|
|
- '\Get-IndexedItem.ps1'
|
|
- '\Get-Keystrokes.ps1'
|
|
- '\Get-LSASecret.ps1'
|
|
- '\Get-MicrophoneAudio.ps1'
|
|
- '\Get-PassHashes.ps1'
|
|
- '\Get-PassHints.ps1'
|
|
- '\Get-RegAlwaysInstallElevated.ps1'
|
|
- '\Get-RegAutoLogon.ps1'
|
|
- '\Get-RickAstley.ps1'
|
|
- '\Get-Screenshot.ps1'
|
|
- '\Get-SecurityPackages.ps1'
|
|
- '\Get-ServiceFilePermission.ps1'
|
|
- '\Get-ServicePermission.ps1'
|
|
- '\Get-ServiceUnquoted.ps1'
|
|
- '\Get-SiteListPassword.ps1'
|
|
- '\Get-System.ps1'
|
|
- '\Get-TimedScreenshot.ps1'
|
|
- '\Get-UnattendedInstallFile.ps1'
|
|
- '\Get-Unconstrained.ps1'
|
|
- '\Get-USBKeystrokes.ps1'
|
|
- '\Get-VaultCredential.ps1'
|
|
- '\Get-VulnAutoRun.ps1'
|
|
- '\Get-VulnSchTask.ps1'
|
|
- '\Get-WebConfig.ps1'
|
|
- '\Get-WebCredentials.ps1'
|
|
- '\Get-WLAN-Keys.ps1'
|
|
- '\Gupt-Backdoor.ps1'
|
|
- '\HTTP-Backdoor.ps1'
|
|
- '\HTTP-Login.ps1'
|
|
- '\Install-ServiceBinary.ps1'
|
|
- '\Install-SSP.ps1'
|
|
- '\Invoke-ACLScanner.ps1'
|
|
- '\Invoke-ADSBackdoor.ps1'
|
|
- '\Invoke-AmsiBypass.ps1'
|
|
- '\Invoke-ARPScan.ps1'
|
|
- '\Invoke-BackdoorLNK.ps1'
|
|
- '\Invoke-BadPotato.ps1'
|
|
- '\Invoke-BetterSafetyKatz.ps1'
|
|
- '\Invoke-BruteForce.ps1'
|
|
- '\Invoke-BypassUAC.ps1'
|
|
- '\Invoke-Carbuncle.ps1'
|
|
- '\Invoke-Certify.ps1'
|
|
- '\Invoke-ConPtyShell.ps1'
|
|
- '\Invoke-CredentialInjection.ps1'
|
|
- '\Invoke-CredentialsPhish.ps1'
|
|
- '\Invoke-DAFT.ps1'
|
|
- '\Invoke-DCSync.ps1'
|
|
- '\Invoke-Decode.ps1'
|
|
- '\Invoke-DinvokeKatz.ps1'
|
|
- '\Invoke-DllInjection.ps1'
|
|
- '\Invoke-DowngradeAccount.ps1'
|
|
- '\Invoke-EgressCheck.ps1'
|
|
- '\Invoke-Encode.ps1'
|
|
- '\Invoke-EventViewer.ps1'
|
|
- '\Invoke-Eyewitness.ps1'
|
|
- '\Invoke-FakeLogonScreen.ps1'
|
|
- '\Invoke-Farmer.ps1'
|
|
- '\Invoke-Get-RBCD-Threaded.ps1'
|
|
- '\Invoke-Gopher.ps1'
|
|
- '\Invoke-Grouper2.ps1'
|
|
- '\Invoke-Grouper3.ps1'
|
|
- '\Invoke-HandleKatz.ps1'
|
|
- '\Invoke-Interceptor.ps1'
|
|
- '\Invoke-Internalmonologue.ps1'
|
|
- '\Invoke-Inveigh.ps1'
|
|
- '\Invoke-InveighRelay.ps1'
|
|
- '\Invoke-JSRatRegsvr.ps1'
|
|
- '\Invoke-JSRatRundll.ps1'
|
|
- '\Invoke-KrbRelay.ps1'
|
|
- '\Invoke-KrbRelayUp.ps1'
|
|
- '\Invoke-LdapSignCheck.ps1'
|
|
- '\Invoke-Lockless.ps1'
|
|
- '\Invoke-MalSCCM.ps1'
|
|
- '\Invoke-Mimikatz.ps1'
|
|
- '\Invoke-MimikatzWDigestDowngrade.ps1'
|
|
- '\Invoke-Mimikittenz.ps1'
|
|
- '\Invoke-MITM6.ps1'
|
|
- '\Invoke-NanoDump.ps1'
|
|
- '\Invoke-NetRipper.ps1'
|
|
- '\Invoke-NetworkRelay.ps1'
|
|
- '\Invoke-NinjaCopy.ps1'
|
|
- '\Invoke-OxidResolver.ps1'
|
|
- '\Invoke-P0wnedshell.ps1'
|
|
- '\Invoke-P0wnedshellx86.ps1'
|
|
- '\Invoke-Paranoia.ps1'
|
|
- '\Invoke-PortScan.ps1'
|
|
- '\Invoke-PoshRatHttp.ps1'
|
|
- '\Invoke-PoshRatHttps.ps1'
|
|
- '\Invoke-PostExfil.ps1'
|
|
- '\Invoke-PowerDump.ps1'
|
|
- '\Invoke-PowerShellIcmp.ps1'
|
|
- '\Invoke-PowerShellTCP.ps1'
|
|
- '\Invoke-PowerShellTcpOneLine.ps1'
|
|
- '\Invoke-PowerShellTcpOneLineBind.ps1'
|
|
- '\Invoke-PowerShellUdp.ps1'
|
|
- '\Invoke-PowerShellUdpOneLine.ps1'
|
|
- '\Invoke-PowerShellWMI.ps1'
|
|
- '\Invoke-PowerThIEf.ps1'
|
|
- '\Invoke-PPLDump.ps1'
|
|
- '\Invoke-Prasadhak.ps1'
|
|
- '\Invoke-PsExec.ps1'
|
|
- '\Invoke-PsGcat.ps1'
|
|
- '\Invoke-PsGcatAgent.ps1'
|
|
- '\Invoke-PSInject.ps1'
|
|
- '\Invoke-PsUaCme.ps1'
|
|
- '\Invoke-ReflectivePEInjection.ps1'
|
|
- '\Invoke-ReverseDNSLookup.ps1'
|
|
- '\Invoke-Rubeus.ps1'
|
|
- '\Invoke-RunAs.ps1'
|
|
- '\Invoke-SafetyKatz.ps1'
|
|
- '\Invoke-SauronEye.ps1'
|
|
- '\Invoke-SCShell.ps1'
|
|
- '\Invoke-Seatbelt.ps1'
|
|
- '\Invoke-ServiceAbuse.ps1'
|
|
- '\Invoke-SessionGopher.ps1'
|
|
- '\Invoke-SharpAllowedToAct.ps1'
|
|
- '\Invoke-SharpBlock.ps1'
|
|
- '\Invoke-SharpBypassUAC.ps1'
|
|
- '\Invoke-SharpChromium.ps1'
|
|
- '\Invoke-SharpClipboard.ps1'
|
|
- '\Invoke-SharpCloud.ps1'
|
|
- '\Invoke-SharpDPAPI.ps1'
|
|
- '\Invoke-SharpDump.ps1'
|
|
- '\Invoke-SharPersist.ps1'
|
|
- '\Invoke-SharpGPOAbuse.ps1'
|
|
- '\Invoke-SharpGPO-RemoteAccessPolicies.ps1'
|
|
- '\Invoke-SharpHandler.ps1'
|
|
- '\Invoke-SharpHide.ps1'
|
|
- '\Invoke-Sharphound2.ps1'
|
|
- '\Invoke-Sharphound3.ps1'
|
|
- '\Invoke-SharpHound4.ps1'
|
|
- '\Invoke-SharpImpersonation.ps1'
|
|
- '\Invoke-SharpImpersonationNoSpace.ps1'
|
|
- '\Invoke-SharpKatz.ps1'
|
|
- '\Invoke-SharpLdapRelayScan.ps1'
|
|
- '\Invoke-Sharplocker.ps1'
|
|
- '\Invoke-SharpLoginPrompt.ps1'
|
|
- '\Invoke-SharpMove.ps1'
|
|
- '\Invoke-SharpPrinter.ps1'
|
|
- '\Invoke-SharpPrintNightmare.ps1'
|
|
- '\Invoke-SharpRDP.ps1'
|
|
- '\Invoke-SharpSCCM.ps1'
|
|
- '\Invoke-SharpSecDump.ps1'
|
|
- '\Invoke-Sharpshares.ps1'
|
|
- '\Invoke-SharpSniper.ps1'
|
|
- '\Invoke-SharpSploit.ps1'
|
|
- '\Invoke-Sharpsploit_nomimi.ps1'
|
|
- '\Invoke-SharpSpray.ps1'
|
|
- '\Invoke-SharpSSDP.ps1'
|
|
- '\Invoke-SharpStay.ps1'
|
|
- '\Invoke-SharpUp.ps1'
|
|
- '\Invoke-Sharpview.ps1'
|
|
- '\Invoke-SharpWatson.ps1'
|
|
- '\Invoke-Sharpweb.ps1'
|
|
- '\Invoke-SharpWSUS.ps1'
|
|
- '\Invoke-ShellCode.ps1'
|
|
- '\Invoke-SMBScanner.ps1'
|
|
- '\Invoke-Snaffler.ps1'
|
|
- '\Invoke-Spoolsample.ps1'
|
|
- '\Invoke-SSHCommand.ps1'
|
|
- '\Invoke-SSIDExfil.ps1'
|
|
- '\Invoke-StandIn.ps1'
|
|
- '\Invoke-StickyNotesExtract.ps1'
|
|
- '\Invoke-Tater.ps1'
|
|
- '\Invoke-Thunderfox.ps1'
|
|
- '\Invoke-ThunderStruck.ps1'
|
|
- '\Invoke-TokenManipulation.ps1'
|
|
- '\Invoke-Tokenvator.ps1'
|
|
- '\Invoke-TotalExec.ps1'
|
|
- '\Invoke-UrbanBishop.ps1'
|
|
- '\Invoke-UserHunter.ps1'
|
|
- '\Invoke-VoiceTroll.ps1'
|
|
- '\Invoke-Whisker.ps1'
|
|
- '\Invoke-WinEnum.ps1'
|
|
- '\Invoke-winPEAS.ps1'
|
|
- '\Invoke-WireTap.ps1'
|
|
- '\Invoke-WmiCommand.ps1'
|
|
- '\Invoke-WScriptBypassUAC.ps1'
|
|
- '\Invoke-Zerologon.ps1'
|
|
- '\Keylogger.ps1'
|
|
- '\MailRaider.ps1'
|
|
- '\New-HoneyHash.ps1'
|
|
- '\OfficeMemScraper.ps1'
|
|
- '\Offline_Winpwn.ps1'
|
|
- '\Out-CHM.ps1'
|
|
- '\Out-DnsTxt.ps1'
|
|
- '\Out-Excel.ps1'
|
|
- '\Out-HTA.ps1'
|
|
- '\Out-Java.ps1'
|
|
- '\Out-JS.ps1'
|
|
- '\Out-Minidump.ps1'
|
|
- '\Out-RundllCommand.ps1'
|
|
- '\Out-SCF.ps1'
|
|
- '\Out-SCT.ps1'
|
|
- '\Out-Shortcut.ps1'
|
|
- '\Out-WebQuery.ps1'
|
|
- '\Out-Word.ps1'
|
|
- '\Parse_Keys.ps1'
|
|
- '\Port-Scan.ps1'
|
|
- '\PowerBreach.ps1'
|
|
- '\powercat.ps1'
|
|
- '\PowerRunAsSystem.psm1'
|
|
- '\PowerSharpPack.ps1'
|
|
- '\PowerUp.ps1'
|
|
- '\PowerUpSQL.ps1'
|
|
- '\PowerView.ps1'
|
|
- '\PSAsyncShell.ps1'
|
|
- '\RemoteHashRetrieval.ps1'
|
|
- '\Remove-Persistence.ps1'
|
|
- '\Remove-PoshRat.ps1'
|
|
- '\Remove-Update.ps1'
|
|
- '\Run-EXEonRemote.ps1'
|
|
- '\Set-DCShadowPermissions.ps1'
|
|
- '\Set-MacAttribute.ps1'
|
|
- '\Set-RemotePSRemoting.ps1'
|
|
- '\Set-RemoteWMI.ps1'
|
|
- '\Set-Wallpaper.ps1'
|
|
- '\Show-TargetScreen.ps1'
|
|
- '\Speak.ps1'
|
|
- '\Start-CaptureServer.ps1'
|
|
- '\Start-WebcamRecorder.ps1'
|
|
- '\StringToBase64.ps1'
|
|
- '\TexttoExe.ps1'
|
|
- '\VolumeShadowCopyTools.ps1'
|
|
- '\WinPwn.ps1'
|
|
- '\WSUSpendu.ps1'
|
|
condition: selection
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|