title: Malicious PowerShell Commandlet Names author: Markus Neis date: 2018/04/07 description: Detects the creation of known powershell scripts for exploitation detection: SELECTION_1: EventID: 11 SELECTION_10: TargetFilename: '*\Invoke-TokenManipulation.ps1' SELECTION_11: TargetFilename: '*\Out-Minidump.ps1' SELECTION_12: TargetFilename: '*\VolumeShadowCopyTools.ps1' SELECTION_13: TargetFilename: '*\Invoke-ReflectivePEInjection.ps1' SELECTION_14: TargetFilename: '*\Get-TimedScreenshot.ps1' SELECTION_15: TargetFilename: '*\Invoke-UserHunter.ps1' SELECTION_16: TargetFilename: '*\Find-GPOLocation.ps1' SELECTION_17: TargetFilename: '*\Invoke-ACLScanner.ps1' SELECTION_18: TargetFilename: '*\Invoke-DowngradeAccount.ps1' SELECTION_19: TargetFilename: '*\Get-ServiceUnquoted.ps1' SELECTION_2: TargetFilename: '*\Invoke-DllInjection.ps1' SELECTION_20: TargetFilename: '*\Get-ServiceFilePermission.ps1' SELECTION_21: TargetFilename: '*\Get-ServicePermission.ps1' SELECTION_22: TargetFilename: '*\Invoke-ServiceAbuse.ps1' SELECTION_23: TargetFilename: '*\Install-ServiceBinary.ps1' SELECTION_24: TargetFilename: '*\Get-RegAutoLogon.ps1' SELECTION_25: TargetFilename: '*\Get-VulnAutoRun.ps1' SELECTION_26: TargetFilename: '*\Get-VulnSchTask.ps1' SELECTION_27: TargetFilename: '*\Get-UnattendedInstallFile.ps1' SELECTION_28: TargetFilename: '*\Get-WebConfig.ps1' SELECTION_29: TargetFilename: '*\Get-ApplicationHost.ps1' SELECTION_3: TargetFilename: '*\Invoke-WmiCommand.ps1' SELECTION_30: TargetFilename: '*\Get-RegAlwaysInstallElevated.ps1' SELECTION_31: TargetFilename: '*\Get-Unconstrained.ps1' SELECTION_32: TargetFilename: '*\Add-RegBackdoor.ps1' SELECTION_33: TargetFilename: '*\Add-ScrnSaveBackdoor.ps1' SELECTION_34: TargetFilename: '*\Gupt-Backdoor.ps1' SELECTION_35: TargetFilename: '*\Invoke-ADSBackdoor.ps1' SELECTION_36: TargetFilename: '*\Enabled-DuplicateToken.ps1' SELECTION_37: TargetFilename: '*\Invoke-PsUaCme.ps1' SELECTION_38: TargetFilename: '*\Remove-Update.ps1' SELECTION_39: TargetFilename: '*\Check-VM.ps1' SELECTION_4: TargetFilename: '*\Get-GPPPassword.ps1' SELECTION_40: TargetFilename: '*\Get-LSASecret.ps1' SELECTION_41: TargetFilename: '*\Get-PassHashes.ps1' SELECTION_42: TargetFilename: '*\Show-TargetScreen.ps1' SELECTION_43: TargetFilename: '*\Port-Scan.ps1' SELECTION_44: TargetFilename: '*\Invoke-PoshRatHttp.ps1' SELECTION_45: TargetFilename: '*\Invoke-PowerShellTCP.ps1' SELECTION_46: TargetFilename: '*\Invoke-PowerShellWMI.ps1' SELECTION_47: TargetFilename: '*\Add-Exfiltration.ps1' SELECTION_48: TargetFilename: '*\Add-Persistence.ps1' SELECTION_49: TargetFilename: '*\Do-Exfiltration.ps1' SELECTION_5: TargetFilename: '*\Get-Keystrokes.ps1' SELECTION_50: TargetFilename: '*\Start-CaptureServer.ps1' SELECTION_51: TargetFilename: '*\Invoke-ShellCode.ps1' SELECTION_52: TargetFilename: '*\Get-ChromeDump.ps1' SELECTION_53: TargetFilename: '*\Get-ClipboardContents.ps1' SELECTION_54: TargetFilename: '*\Get-FoxDump.ps1' SELECTION_55: TargetFilename: '*\Get-IndexedItem.ps1' SELECTION_56: TargetFilename: '*\Get-Screenshot.ps1' SELECTION_57: TargetFilename: '*\Invoke-Inveigh.ps1' SELECTION_58: TargetFilename: '*\Invoke-NetRipper.ps1' SELECTION_59: TargetFilename: '*\Invoke-EgressCheck.ps1' SELECTION_6: TargetFilename: '*\Get-VaultCredential.ps1' SELECTION_60: TargetFilename: '*\Invoke-PostExfil.ps1' SELECTION_61: TargetFilename: '*\Invoke-PSInject.ps1' SELECTION_62: TargetFilename: '*\Invoke-RunAs.ps1' SELECTION_63: TargetFilename: '*\MailRaider.ps1' SELECTION_64: TargetFilename: '*\New-HoneyHash.ps1' SELECTION_65: TargetFilename: '*\Set-MacAttribute.ps1' SELECTION_66: TargetFilename: '*\Invoke-DCSync.ps1' SELECTION_67: TargetFilename: '*\Invoke-PowerDump.ps1' SELECTION_68: TargetFilename: '*\Exploit-Jboss.ps1' SELECTION_69: TargetFilename: '*\Invoke-ThunderStruck.ps1' SELECTION_7: TargetFilename: '*\Invoke-CredentialInjection.ps1' SELECTION_70: TargetFilename: '*\Invoke-VoiceTroll.ps1' SELECTION_71: TargetFilename: '*\Set-Wallpaper.ps1' SELECTION_72: TargetFilename: '*\Invoke-InveighRelay.ps1' SELECTION_73: TargetFilename: '*\Invoke-PsExec.ps1' SELECTION_74: TargetFilename: '*\Invoke-SSHCommand.ps1' SELECTION_75: TargetFilename: '*\Get-SecurityPackages.ps1' SELECTION_76: TargetFilename: '*\Install-SSP.ps1' SELECTION_77: TargetFilename: '*\Invoke-BackdoorLNK.ps1' SELECTION_78: TargetFilename: '*\PowerBreach.ps1' SELECTION_79: TargetFilename: '*\Get-SiteListPassword.ps1' SELECTION_8: TargetFilename: '*\Invoke-Mimikatz.ps1' SELECTION_80: TargetFilename: '*\Get-System.ps1' SELECTION_81: TargetFilename: '*\Invoke-BypassUAC.ps1' SELECTION_82: TargetFilename: '*\Invoke-Tater.ps1' SELECTION_83: TargetFilename: '*\Invoke-WScriptBypassUAC.ps1' SELECTION_84: TargetFilename: '*\PowerUp.ps1' SELECTION_85: TargetFilename: '*\PowerView.ps1' SELECTION_86: TargetFilename: '*\Get-RickAstley.ps1' SELECTION_87: TargetFilename: '*\Find-Fruit.ps1' SELECTION_88: TargetFilename: '*\HTTP-Login.ps1' SELECTION_89: TargetFilename: '*\Find-TrustedDocuments.ps1' SELECTION_9: TargetFilename: '*\Invoke-NinjaCopy.ps1' SELECTION_90: TargetFilename: '*\Invoke-Paranoia.ps1' SELECTION_91: TargetFilename: '*\Invoke-WinEnum.ps1' SELECTION_92: TargetFilename: '*\Invoke-ARPScan.ps1' SELECTION_93: TargetFilename: '*\Invoke-PortScan.ps1' SELECTION_94: TargetFilename: '*\Invoke-ReverseDNSLookup.ps1' SELECTION_95: TargetFilename: '*\Invoke-SMBScanner.ps1' SELECTION_96: TargetFilename: '*\Invoke-Mimikittenz.ps1' condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25 or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35 or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40 or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45 or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50 or SELECTION_51 or SELECTION_52 or SELECTION_53 or SELECTION_54 or SELECTION_55 or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59 or SELECTION_60 or SELECTION_61 or SELECTION_62 or SELECTION_63 or SELECTION_64 or SELECTION_65 or SELECTION_66 or SELECTION_67 or SELECTION_68 or SELECTION_69 or SELECTION_70 or SELECTION_71 or SELECTION_72 or SELECTION_73 or SELECTION_74 or SELECTION_75 or SELECTION_76 or SELECTION_77 or SELECTION_78 or SELECTION_79 or SELECTION_80 or SELECTION_81 or SELECTION_82 or SELECTION_83 or SELECTION_84 or SELECTION_85 or SELECTION_86 or SELECTION_87 or SELECTION_88 or SELECTION_89 or SELECTION_90 or SELECTION_91 or SELECTION_92 or SELECTION_93 or SELECTION_94 or SELECTION_95 or SELECTION_96)) falsepositives: - Penetration Tests id: f331aa1f-8c53-4fc3-b083-cc159bc971cb level: high logsource: category: file_event product: windows references: - https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml status: experimental tags: - attack.execution - attack.t1086 - attack.t1059.001 yml_filename: sysmon_powershell_exploit_scripts.yml yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event