title: Malicious PowerShell Keywords
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
description: Detects keywords from well-known PowerShell exploitation frameworks
detection:
    SELECTION_1:
        ScriptBlockText: '*AdjustTokenPrivileges*'
    SELECTION_10:
        ScriptBlockText: '*TOKEN_ADJUST_PRIVILEGES*'
    SELECTION_11:
        ScriptBlockText: '*TOKEN_ALL_ACCESS*'
    SELECTION_12:
        ScriptBlockText: '*TOKEN_ASSIGN_PRIMARY*'
    SELECTION_13:
        ScriptBlockText: '*TOKEN_DUPLICATE*'
    SELECTION_14:
        ScriptBlockText: '*TOKEN_ELEVATION*'
    SELECTION_15:
        ScriptBlockText: '*TOKEN_IMPERSONATE*'
    SELECTION_16:
        ScriptBlockText: '*TOKEN_INFORMATION_CLASS*'
    SELECTION_17:
        ScriptBlockText: '*TOKEN_PRIVILEGES*'
    SELECTION_18:
        ScriptBlockText: '*TOKEN_QUERY*'
    SELECTION_19:
        ScriptBlockText: '*Metasploit*'
    SELECTION_2:
        ScriptBlockText: '*IMAGE_NT_OPTIONAL_HDR64_MAGIC*'
    SELECTION_20:
        ScriptBlockText: '*Mimikatz*'
    SELECTION_3:
        ScriptBlockText: '*Microsoft.Win32.UnsafeNativeMethods*'
    SELECTION_4:
        ScriptBlockText: '*ReadProcessMemory.Invoke*'
    SELECTION_5:
        ScriptBlockText: '*SE_PRIVILEGE_ENABLED*'
    SELECTION_6:
        ScriptBlockText: '*LSA_UNICODE_STRING*'
    SELECTION_7:
        ScriptBlockText: '*MiniDumpWriteDump*'
    SELECTION_8:
        ScriptBlockText: '*PAGE_EXECUTE_READ*'
    SELECTION_9:
        ScriptBlockText: '*SECURITY_DELEGATION*'
    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20)
falsepositives:
- Penetration tests
id: f62176f3-8128-4faa-bf6c-83261322e5eb
level: high
logsource:
    category: ps_script
    definition: It is recommended to use the new "Script Block Logging" of PowerShell
        v5 https://adsecurity.org/?p=2277
    product: windows
modified: 2021/10/16
references:
- https://adsecurity.org/?p=2921
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: powershell_malicious_keywords.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script