title: Malicious PowerView PowerShell Commandlets author: Bhabesh Raj date: 2021/05/18 description: Detects Commandlet names from PowerView of PowerSploit exploitation framework. detection: SELECTION_1: ScriptBlockText: '*Export-PowerViewCSV*' SELECTION_10: ScriptBlockText: '*Invoke-UserImpersonation*' SELECTION_100: ScriptBlockText: '*Invoke-UserHunter*' SELECTION_101: ScriptBlockText: '*Find-DomainUserLocation*' SELECTION_102: ScriptBlockText: '*Invoke-ProcessHunter*' SELECTION_103: ScriptBlockText: '*Find-DomainProcess*' SELECTION_104: ScriptBlockText: '*Invoke-EventHunter*' SELECTION_105: ScriptBlockText: '*Find-DomainUserEvent*' SELECTION_106: ScriptBlockText: '*Invoke-ShareFinder*' SELECTION_107: ScriptBlockText: '*Find-DomainShare*' SELECTION_108: ScriptBlockText: '*Invoke-FileFinder*' SELECTION_109: ScriptBlockText: '*Find-InterestingDomainShareFile*' SELECTION_11: ScriptBlockText: '*Invoke-RevertToSelf*' SELECTION_110: ScriptBlockText: '*Find-LocalAdminAccess*' SELECTION_111: ScriptBlockText: '*Invoke-EnumerateLocalAdmin*' SELECTION_112: ScriptBlockText: '*Find-DomainLocalGroupMember*' SELECTION_113: ScriptBlockText: '*Get-NetDomainTrust*' SELECTION_114: ScriptBlockText: '*Get-DomainTrust*' SELECTION_115: ScriptBlockText: '*Get-NetForestTrust*' SELECTION_116: ScriptBlockText: '*Get-ForestTrust*' SELECTION_117: ScriptBlockText: '*Find-ForeignUser*' SELECTION_118: ScriptBlockText: '*Get-DomainForeignUser*' SELECTION_119: ScriptBlockText: '*Find-ForeignGroup*' SELECTION_12: ScriptBlockText: '*Request-SPNTicket*' SELECTION_120: ScriptBlockText: '*Get-DomainForeignGroupMember*' SELECTION_121: ScriptBlockText: '*Invoke-MapDomainTrust*' SELECTION_122: ScriptBlockText: '*Get-DomainTrustMapping*' SELECTION_13: ScriptBlockText: '*Get-DomainSPNTicket*' SELECTION_14: ScriptBlockText: '*Invoke-Kerberoast*' SELECTION_15: ScriptBlockText: '*Get-PathAcl*' SELECTION_16: ScriptBlockText: '*Get-DNSZone*' SELECTION_17: ScriptBlockText: '*Get-DomainDNSZone*' SELECTION_18: ScriptBlockText: '*Get-DNSRecord*' SELECTION_19: ScriptBlockText: '*Get-DomainDNSRecord*' SELECTION_2: ScriptBlockText: '*Get-IPAddress*' SELECTION_20: ScriptBlockText: '*Get-NetDomain*' SELECTION_21: ScriptBlockText: '*Get-Domain*' SELECTION_22: ScriptBlockText: '*Get-NetDomainController*' SELECTION_23: ScriptBlockText: '*Get-DomainController*' SELECTION_24: ScriptBlockText: '*Get-NetForest*' SELECTION_25: ScriptBlockText: '*Get-Forest*' SELECTION_26: ScriptBlockText: '*Get-NetForestDomain*' SELECTION_27: ScriptBlockText: '*Get-ForestDomain*' SELECTION_28: ScriptBlockText: '*Get-NetForestCatalog*' SELECTION_29: ScriptBlockText: '*Get-ForestGlobalCatalog*' SELECTION_3: ScriptBlockText: '*Resolve-IPAddress*' SELECTION_30: ScriptBlockText: '*Find-DomainObjectPropertyOutlier*' SELECTION_31: ScriptBlockText: '*Get-NetUser*' SELECTION_32: ScriptBlockText: '*Get-DomainUser*' SELECTION_33: ScriptBlockText: '*New-DomainUser*' SELECTION_34: ScriptBlockText: '*Set-DomainUserPassword*' SELECTION_35: ScriptBlockText: '*Get-UserEvent*' SELECTION_36: ScriptBlockText: '*Get-DomainUserEvent*' SELECTION_37: ScriptBlockText: '*Get-NetComputer*' SELECTION_38: ScriptBlockText: '*Get-DomainComputer*' SELECTION_39: ScriptBlockText: '*Get-ADObject*' SELECTION_4: ScriptBlockText: '*Convert-NameToSid*' SELECTION_40: ScriptBlockText: '*Get-DomainObject*' SELECTION_41: ScriptBlockText: '*Set-ADObject*' SELECTION_42: ScriptBlockText: '*Set-DomainObject*' SELECTION_43: ScriptBlockText: '*Get-ObjectAcl*' SELECTION_44: ScriptBlockText: '*Get-DomainObjectAcl*' SELECTION_45: ScriptBlockText: '*Add-ObjectAcl*' SELECTION_46: ScriptBlockText: '*Add-DomainObjectAcl*' SELECTION_47: ScriptBlockText: '*Invoke-ACLScanner*' SELECTION_48: ScriptBlockText: '*Find-InterestingDomainAcl*' SELECTION_49: ScriptBlockText: '*Get-NetOU*' SELECTION_5: ScriptBlockText: '*ConvertTo-SID*' SELECTION_50: ScriptBlockText: '*Get-DomainOU*' SELECTION_51: ScriptBlockText: '*Get-NetSite*' SELECTION_52: ScriptBlockText: '*Get-DomainSite*' SELECTION_53: ScriptBlockText: '*Get-NetSubnet*' SELECTION_54: ScriptBlockText: '*Get-DomainSubnet*' SELECTION_55: ScriptBlockText: '*Get-DomainSID*' SELECTION_56: ScriptBlockText: '*Get-NetGroup*' SELECTION_57: ScriptBlockText: '*Get-DomainGroup*' SELECTION_58: ScriptBlockText: '*New-DomainGroup*' SELECTION_59: ScriptBlockText: '*Find-ManagedSecurityGroups*' SELECTION_6: ScriptBlockText: '*Convert-ADName*' SELECTION_60: ScriptBlockText: '*Get-DomainManagedSecurityGroup*' SELECTION_61: ScriptBlockText: '*Get-NetGroupMember*' SELECTION_62: ScriptBlockText: '*Get-DomainGroupMember*' SELECTION_63: ScriptBlockText: '*Add-DomainGroupMember*' SELECTION_64: ScriptBlockText: '*Get-NetFileServer*' SELECTION_65: ScriptBlockText: '*Get-DomainFileServer*' SELECTION_66: ScriptBlockText: '*Get-DFSshare*' SELECTION_67: ScriptBlockText: '*Get-DomainDFSShare*' SELECTION_68: ScriptBlockText: '*Get-NetGPO*' SELECTION_69: ScriptBlockText: '*Get-DomainGPO*' SELECTION_7: ScriptBlockText: '*ConvertFrom-UACValue*' SELECTION_70: ScriptBlockText: '*Get-NetGPOGroup*' SELECTION_71: ScriptBlockText: '*Get-DomainGPOLocalGroup*' SELECTION_72: ScriptBlockText: '*Find-GPOLocation*' SELECTION_73: ScriptBlockText: '*Get-DomainGPOUserLocalGroupMapping*' SELECTION_74: ScriptBlockText: '*Find-GPOComputerAdmin*' SELECTION_75: ScriptBlockText: '*Get-DomainGPOComputerLocalGroupMapping*' SELECTION_76: ScriptBlockText: '*Get-DomainPolicy*' SELECTION_77: ScriptBlockText: '*Get-NetLocalGroup*' SELECTION_78: ScriptBlockText: '*Get-NetLocalGroupMember*' SELECTION_79: ScriptBlockText: '*Get-NetShare*' SELECTION_8: ScriptBlockText: '*Add-RemoteConnection*' SELECTION_80: ScriptBlockText: '*Get-NetLoggedon*' SELECTION_81: ScriptBlockText: '*Get-NetSession*' SELECTION_82: ScriptBlockText: '*Get-LoggedOnLocal*' SELECTION_83: ScriptBlockText: '*Get-RegLoggedOn*' SELECTION_84: ScriptBlockText: '*Get-NetRDPSession*' SELECTION_85: ScriptBlockText: '*Invoke-CheckLocalAdminAccess*' SELECTION_86: ScriptBlockText: '*Test-AdminAccess*' SELECTION_87: ScriptBlockText: '*Get-SiteName*' SELECTION_88: ScriptBlockText: '*Get-NetComputerSiteName*' SELECTION_89: ScriptBlockText: '*Get-Proxy*' SELECTION_9: ScriptBlockText: '*Remove-RemoteConnection*' SELECTION_90: ScriptBlockText: '*Get-WMIRegProxy*' SELECTION_91: ScriptBlockText: '*Get-LastLoggedOn*' SELECTION_92: ScriptBlockText: '*Get-WMIRegLastLoggedOn*' SELECTION_93: ScriptBlockText: '*Get-CachedRDPConnection*' SELECTION_94: ScriptBlockText: '*Get-WMIRegCachedRDPConnection*' SELECTION_95: ScriptBlockText: '*Get-RegistryMountedDrive*' SELECTION_96: ScriptBlockText: '*Get-WMIRegMountedDrive*' SELECTION_97: ScriptBlockText: '*Get-NetProcess*' SELECTION_98: ScriptBlockText: '*Get-WMIProcess*' SELECTION_99: ScriptBlockText: '*Find-InterestingFile*' condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25 or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35 or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40 or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45 or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50 or SELECTION_51 or SELECTION_52 or SELECTION_53 or SELECTION_54 or SELECTION_55 or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59 or SELECTION_60 or SELECTION_61 or SELECTION_62 or SELECTION_63 or SELECTION_64 or SELECTION_65 or SELECTION_66 or SELECTION_67 or SELECTION_68 or SELECTION_69 or SELECTION_70 or SELECTION_71 or SELECTION_72 or SELECTION_73 or SELECTION_74 or SELECTION_75 or SELECTION_76 or SELECTION_77 or SELECTION_78 or SELECTION_79 or SELECTION_80 or SELECTION_81 or SELECTION_82 or SELECTION_83 or SELECTION_84 or SELECTION_85 or SELECTION_86 or SELECTION_87 or SELECTION_88 or SELECTION_89 or SELECTION_90 or SELECTION_91 or SELECTION_92 or SELECTION_93 or SELECTION_94 or SELECTION_95 or SELECTION_96 or SELECTION_97 or SELECTION_98 or SELECTION_99 or SELECTION_100 or SELECTION_101 or SELECTION_102 or SELECTION_103 or SELECTION_104 or SELECTION_105 or SELECTION_106 or SELECTION_107 or SELECTION_108 or SELECTION_109 or SELECTION_110 or SELECTION_111 or SELECTION_112 or SELECTION_113 or SELECTION_114 or SELECTION_115 or SELECTION_116 or SELECTION_117 or SELECTION_118 or SELECTION_119 or SELECTION_120 or SELECTION_121 or SELECTION_122) falsepositives: - Should not be any as administrators do not use this tool id: dcd74b95-3f36-4ed9-9598-0490951643aa level: high logsource: category: ps_script definition: Script Block Logging must be enable product: windows modified: 2021/10/16 references: - https://powersploit.readthedocs.io/en/stable/Recon/README - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon - https://thedfirreport.com/2020/10/08/ryuks-return - https://adsecurity.org/?p=2277 status: experimental tags: - attack.execution - attack.t1059.001 yml_filename: powershell_powerview_malicious_commandlets.yml yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script