title: Accessing WinAPI in PowerShell author: Nikita Nazarov, oscd.community date: 2020/10/06 description: Detecting use WinAPI Functions in PowerShell detection: SELECTION_1: ScriptBlockText: '*WaitForSingleObject*' SELECTION_10: ScriptBlockText: '*GetDelegateForFunctionPointer*' SELECTION_11: ScriptBlockText: '*CreateThread*' SELECTION_12: ScriptBlockText: '*memcpy*' SELECTION_13: ScriptBlockText: '*LoadLibrary*' SELECTION_14: ScriptBlockText: '*GetModuleHandle*' SELECTION_15: ScriptBlockText: '*GetProcAddress*' SELECTION_16: ScriptBlockText: '*VirtualProtect*' SELECTION_17: ScriptBlockText: '*FreeLibrary*' SELECTION_18: ScriptBlockText: '*ReadProcessMemory*' SELECTION_19: ScriptBlockText: '*CreateRemoteThread*' SELECTION_2: ScriptBlockText: '*QueueUserApc*' SELECTION_20: ScriptBlockText: '*AdjustTokenPrivileges*' SELECTION_21: ScriptBlockText: '*WriteByte*' SELECTION_22: ScriptBlockText: '*WriteInt32*' SELECTION_23: ScriptBlockText: '*OpenThreadToken*' SELECTION_24: ScriptBlockText: '*PtrToString*' SELECTION_25: ScriptBlockText: '*FreeHGlobal*' SELECTION_26: ScriptBlockText: '*ZeroFreeGlobalAllocUnicode*' SELECTION_27: ScriptBlockText: '*OpenProcessToken*' SELECTION_28: ScriptBlockText: '*GetTokenInformation*' SELECTION_29: ScriptBlockText: '*SetThreadToken*' SELECTION_3: ScriptBlockText: '*RtlCreateUserThread*' SELECTION_30: ScriptBlockText: '*ImpersonateLoggedOnUser*' SELECTION_31: ScriptBlockText: '*RevertToSelf*' SELECTION_32: ScriptBlockText: '*GetLogonSessionData*' SELECTION_33: ScriptBlockText: '*CreateProcessWithToken*' SELECTION_34: ScriptBlockText: '*DuplicateTokenEx*' SELECTION_35: ScriptBlockText: '*OpenWindowStation*' SELECTION_36: ScriptBlockText: '*OpenDesktop*' SELECTION_37: ScriptBlockText: '*MiniDumpWriteDump*' SELECTION_38: ScriptBlockText: '*AddSecurityPackage*' SELECTION_39: ScriptBlockText: '*EnumerateSecurityPackages*' SELECTION_4: ScriptBlockText: '*OpenProcess*' SELECTION_40: ScriptBlockText: '*GetProcessHandle*' SELECTION_41: ScriptBlockText: '*DangerousGetHandle*' SELECTION_42: ScriptBlockText: '*kernel32*' SELECTION_43: ScriptBlockText: '*Advapi32*' SELECTION_44: ScriptBlockText: '*msvcrt*' SELECTION_45: ScriptBlockText: '*ntdll*' SELECTION_46: ScriptBlockText: '*user32*' SELECTION_47: ScriptBlockText: '*secur32*' SELECTION_5: ScriptBlockText: '*VirtualAlloc*' SELECTION_6: ScriptBlockText: '*VirtualFree*' SELECTION_7: ScriptBlockText: '*WriteProcessMemory*' SELECTION_8: ScriptBlockText: '*CreateUserThread*' SELECTION_9: ScriptBlockText: '*CloseHandle*' condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25 or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35 or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40 or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45 or SELECTION_46 or SELECTION_47) falsepositives: - Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon) id: 03d83090-8cba-44a0-b02f-0b756a050306 level: high logsource: category: ps_script definition: Script block logging must be enabled product: windows modified: 2021/10/16 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse status: experimental tags: - attack.execution - attack.t1059.001 - attack.t1106 yml_filename: powershell_accessing_win_api.yml yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script