title: Malicious PowerShell Commandlets
author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update),
  oscd.community (update)
date: 2017/03/05
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
detection:
  SELECTION_1:
    ScriptBlockText:
    - '*Invoke-DllInjection*'
    - '*Invoke-Shellcode*'
    - '*Invoke-WmiCommand*'
    - '*Get-GPPPassword*'
    - '*Get-Keystrokes*'
    - '*Get-TimedScreenshot*'
    - '*Get-VaultCredential*'
    - '*Invoke-CredentialInjection*'
    - '*Invoke-Mimikatz*'
    - '*Invoke-NinjaCopy*'
    - '*Invoke-TokenManipulation*'
    - '*Out-Minidump*'
    - '*VolumeShadowCopyTools*'
    - '*Invoke-ReflectivePEInjection*'
    - '*Invoke-UserHunter*'
    - '*Find-GPOLocation*'
    - '*Invoke-ACLScanner*'
    - '*Invoke-DowngradeAccount*'
    - '*Get-ServiceUnquoted*'
    - '*Get-ServiceFilePermission*'
    - '*Get-ServicePermission*'
    - '*Invoke-ServiceAbuse*'
    - '*Install-ServiceBinary*'
    - '*Get-RegAutoLogon*'
    - '*Get-VulnAutoRun*'
    - '*Get-VulnSchTask*'
    - '*Get-UnattendedInstallFile*'
    - '*Get-ApplicationHost*'
    - '*Get-RegAlwaysInstallElevated*'
    - '*Get-Unconstrained*'
    - '*Add-RegBackdoor*'
    - '*Add-ScrnSaveBackdoor*'
    - '*Gupt-Backdoor*'
    - '*Invoke-ADSBackdoor*'
    - '*Enabled-DuplicateToken*'
    - '*Invoke-PsUaCme*'
    - '*Remove-Update*'
    - '*Check-VM*'
    - '*Get-LSASecret*'
    - '*Get-PassHashes*'
    - '*Show-TargetScreen*'
    - '*Port-Scan*'
    - '*Invoke-PoshRatHttp*'
    - '*Invoke-PowerShellTCP*'
    - '*Invoke-PowerShellWMI*'
    - '*Add-Exfiltration*'
    - '*Add-Persistence*'
    - '*Do-Exfiltration*'
    - '*Start-CaptureServer*'
    - '*Get-ChromeDump*'
    - '*Get-ClipboardContents*'
    - '*Get-FoxDump*'
    - '*Get-IndexedItem*'
    - '*Get-Screenshot*'
    - '*Invoke-Inveigh*'
    - '*Invoke-NetRipper*'
    - '*Invoke-EgressCheck*'
    - '*Invoke-PostExfil*'
    - '*Invoke-PSInject*'
    - '*Invoke-RunAs*'
    - '*MailRaider*'
    - '*New-HoneyHash*'
    - '*Set-MacAttribute*'
    - '*Invoke-DCSync*'
    - '*Invoke-PowerDump*'
    - '*Exploit-Jboss*'
    - '*Invoke-ThunderStruck*'
    - '*Invoke-VoiceTroll*'
    - '*Set-Wallpaper*'
    - '*Invoke-InveighRelay*'
    - '*Invoke-PsExec*'
    - '*Invoke-SSHCommand*'
    - '*Get-SecurityPackages*'
    - '*Install-SSP*'
    - '*Invoke-BackdoorLNK*'
    - '*PowerBreach*'
    - '*Get-SiteListPassword*'
    - '*Get-System*'
    - '*Invoke-BypassUAC*'
    - '*Invoke-Tater*'
    - '*Invoke-WScriptBypassUAC*'
    - '*PowerUp*'
    - '*PowerView*'
    - '*Get-RickAstley*'
    - '*Find-Fruit*'
    - '*HTTP-Login*'
    - '*Find-TrustedDocuments*'
    - '*Invoke-Paranoia*'
    - '*Invoke-WinEnum*'
    - '*Invoke-ARPScan*'
    - '*Invoke-PortScan*'
    - '*Invoke-ReverseDNSLookup*'
    - '*Invoke-SMBScanner*'
    - '*Invoke-Mimikittenz*'
    - '*Invoke-AllChecks*'
  SELECTION_2:
    ScriptBlockText: '*Get-SystemDriveInfo*'
  condition: (SELECTION_1 and  not (SELECTION_2))
falsepositives:
- Penetration testing
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
level: high
logsource:
  category: ps_script
  definition: Script Block Logging must be enable
  product: windows
modified: 2021/10/16
references:
- https://adsecurity.org/?p=2921
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA