title: Malicious PowerShell Commandlets author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update) date: 2017/03/05 description: Detects Commandlet names from well-known PowerShell exploitation frameworks detection: SELECTION_1: ScriptBlockText: '*Invoke-DllInjection*' SELECTION_10: ScriptBlockText: '*Invoke-NinjaCopy*' SELECTION_11: ScriptBlockText: '*Invoke-TokenManipulation*' SELECTION_12: ScriptBlockText: '*Out-Minidump*' SELECTION_13: ScriptBlockText: '*VolumeShadowCopyTools*' SELECTION_14: ScriptBlockText: '*Invoke-ReflectivePEInjection*' SELECTION_15: ScriptBlockText: '*Invoke-UserHunter*' SELECTION_16: ScriptBlockText: '*Find-GPOLocation*' SELECTION_17: ScriptBlockText: '*Invoke-ACLScanner*' SELECTION_18: ScriptBlockText: '*Invoke-DowngradeAccount*' SELECTION_19: ScriptBlockText: '*Get-ServiceUnquoted*' SELECTION_2: ScriptBlockText: '*Invoke-Shellcode*' SELECTION_20: ScriptBlockText: '*Get-ServiceFilePermission*' SELECTION_21: ScriptBlockText: '*Get-ServicePermission*' SELECTION_22: ScriptBlockText: '*Invoke-ServiceAbuse*' SELECTION_23: ScriptBlockText: '*Install-ServiceBinary*' SELECTION_24: ScriptBlockText: '*Get-RegAutoLogon*' SELECTION_25: ScriptBlockText: '*Get-VulnAutoRun*' SELECTION_26: ScriptBlockText: '*Get-VulnSchTask*' SELECTION_27: ScriptBlockText: '*Get-UnattendedInstallFile*' SELECTION_28: ScriptBlockText: '*Get-ApplicationHost*' SELECTION_29: ScriptBlockText: '*Get-RegAlwaysInstallElevated*' SELECTION_3: ScriptBlockText: '*Invoke-WmiCommand*' SELECTION_30: ScriptBlockText: '*Get-Unconstrained*' SELECTION_31: ScriptBlockText: '*Add-RegBackdoor*' SELECTION_32: ScriptBlockText: '*Add-ScrnSaveBackdoor*' SELECTION_33: ScriptBlockText: '*Gupt-Backdoor*' SELECTION_34: ScriptBlockText: '*Invoke-ADSBackdoor*' SELECTION_35: ScriptBlockText: '*Enabled-DuplicateToken*' SELECTION_36: ScriptBlockText: '*Invoke-PsUaCme*' SELECTION_37: ScriptBlockText: '*Remove-Update*' SELECTION_38: ScriptBlockText: '*Check-VM*' SELECTION_39: ScriptBlockText: '*Get-LSASecret*' SELECTION_4: ScriptBlockText: '*Get-GPPPassword*' SELECTION_40: ScriptBlockText: '*Get-PassHashes*' SELECTION_41: ScriptBlockText: '*Show-TargetScreen*' SELECTION_42: ScriptBlockText: '*Port-Scan*' SELECTION_43: ScriptBlockText: '*Invoke-PoshRatHttp*' SELECTION_44: ScriptBlockText: '*Invoke-PowerShellTCP*' SELECTION_45: ScriptBlockText: '*Invoke-PowerShellWMI*' SELECTION_46: ScriptBlockText: '*Add-Exfiltration*' SELECTION_47: ScriptBlockText: '*Add-Persistence*' SELECTION_48: ScriptBlockText: '*Do-Exfiltration*' SELECTION_49: ScriptBlockText: '*Start-CaptureServer*' SELECTION_5: ScriptBlockText: '*Get-Keystrokes*' SELECTION_50: ScriptBlockText: '*Get-ChromeDump*' SELECTION_51: ScriptBlockText: '*Get-ClipboardContents*' SELECTION_52: ScriptBlockText: '*Get-FoxDump*' SELECTION_53: ScriptBlockText: '*Get-IndexedItem*' SELECTION_54: ScriptBlockText: '*Get-Screenshot*' SELECTION_55: ScriptBlockText: '*Invoke-Inveigh*' SELECTION_56: ScriptBlockText: '*Invoke-NetRipper*' SELECTION_57: ScriptBlockText: '*Invoke-EgressCheck*' SELECTION_58: ScriptBlockText: '*Invoke-PostExfil*' SELECTION_59: ScriptBlockText: '*Invoke-PSInject*' SELECTION_6: ScriptBlockText: '*Get-TimedScreenshot*' SELECTION_60: ScriptBlockText: '*Invoke-RunAs*' SELECTION_61: ScriptBlockText: '*MailRaider*' SELECTION_62: ScriptBlockText: '*New-HoneyHash*' SELECTION_63: ScriptBlockText: '*Set-MacAttribute*' SELECTION_64: ScriptBlockText: '*Invoke-DCSync*' SELECTION_65: ScriptBlockText: '*Invoke-PowerDump*' SELECTION_66: ScriptBlockText: '*Exploit-Jboss*' SELECTION_67: ScriptBlockText: '*Invoke-ThunderStruck*' SELECTION_68: ScriptBlockText: '*Invoke-VoiceTroll*' SELECTION_69: ScriptBlockText: '*Set-Wallpaper*' SELECTION_7: ScriptBlockText: '*Get-VaultCredential*' SELECTION_70: ScriptBlockText: '*Invoke-InveighRelay*' SELECTION_71: ScriptBlockText: '*Invoke-PsExec*' SELECTION_72: ScriptBlockText: '*Invoke-SSHCommand*' SELECTION_73: ScriptBlockText: '*Get-SecurityPackages*' SELECTION_74: ScriptBlockText: '*Install-SSP*' SELECTION_75: ScriptBlockText: '*Invoke-BackdoorLNK*' SELECTION_76: ScriptBlockText: '*PowerBreach*' SELECTION_77: ScriptBlockText: '*Get-SiteListPassword*' SELECTION_78: ScriptBlockText: '*Get-System*' SELECTION_79: ScriptBlockText: '*Invoke-BypassUAC*' SELECTION_8: ScriptBlockText: '*Invoke-CredentialInjection*' SELECTION_80: ScriptBlockText: '*Invoke-Tater*' SELECTION_81: ScriptBlockText: '*Invoke-WScriptBypassUAC*' SELECTION_82: ScriptBlockText: '*PowerUp*' SELECTION_83: ScriptBlockText: '*PowerView*' SELECTION_84: ScriptBlockText: '*Get-RickAstley*' SELECTION_85: ScriptBlockText: '*Find-Fruit*' SELECTION_86: ScriptBlockText: '*HTTP-Login*' SELECTION_87: ScriptBlockText: '*Find-TrustedDocuments*' SELECTION_88: ScriptBlockText: '*Invoke-Paranoia*' SELECTION_89: ScriptBlockText: '*Invoke-WinEnum*' SELECTION_9: ScriptBlockText: '*Invoke-Mimikatz*' SELECTION_90: ScriptBlockText: '*Invoke-ARPScan*' SELECTION_91: ScriptBlockText: '*Invoke-PortScan*' SELECTION_92: ScriptBlockText: '*Invoke-ReverseDNSLookup*' SELECTION_93: ScriptBlockText: '*Invoke-SMBScanner*' SELECTION_94: ScriptBlockText: '*Invoke-Mimikittenz*' SELECTION_95: ScriptBlockText: '*Invoke-AllChecks*' SELECTION_96: ScriptBlockText: '*Get-SystemDriveInfo*' condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25 or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35 or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40 or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45 or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50 or SELECTION_51 or SELECTION_52 or SELECTION_53 or SELECTION_54 or SELECTION_55 or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59 or SELECTION_60 or SELECTION_61 or SELECTION_62 or SELECTION_63 or SELECTION_64 or SELECTION_65 or SELECTION_66 or SELECTION_67 or SELECTION_68 or SELECTION_69 or SELECTION_70 or SELECTION_71 or SELECTION_72 or SELECTION_73 or SELECTION_74 or SELECTION_75 or SELECTION_76 or SELECTION_77 or SELECTION_78 or SELECTION_79 or SELECTION_80 or SELECTION_81 or SELECTION_82 or SELECTION_83 or SELECTION_84 or SELECTION_85 or SELECTION_86 or SELECTION_87 or SELECTION_88 or SELECTION_89 or SELECTION_90 or SELECTION_91 or SELECTION_92 or SELECTION_93 or SELECTION_94 or SELECTION_95) and not (SELECTION_96)) falsepositives: - Penetration testing id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 level: high logsource: category: ps_script definition: Script Block Logging must be enable product: windows modified: 2021/10/16 references: - https://adsecurity.org/?p=2921 status: experimental tags: - attack.execution - attack.t1059.001 - attack.t1086 yml_filename: powershell_malicious_commandlets.yml yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script