Detection rules › Sigma
Malicious PowerShell Scripts - FileCreation
Detects the creation of known offensive powershell scripts used for exploitation
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: 1 of selection_generic
or:
TargetFilename|endswith: '\ADRecon.ps1'
TargetFilename|endswith: '\Add-ConstrainedDelegationBackdoor.ps1'
TargetFilename|endswith: '\Add-Exfiltration.ps1'
TargetFilename|endswith: '\Add-Persistence.ps1'
TargetFilename|endswith: '\Add-RegBackdoor.ps1'
TargetFilename|endswith: '\Add-RemoteRegBackdoor.ps1'
TargetFilename|endswith: '\Add-ScrnSaveBackdoor.ps1'
TargetFilename|endswith: '\AzureADRecon.ps1'
TargetFilename|endswith: '\BadSuccessor.ps1'
TargetFilename|endswith: '\Check-VM.ps1'
TargetFilename|endswith: '\ConvertTo-ROT13.ps1'
TargetFilename|endswith: '\Copy-VSS.ps1'
TargetFilename|endswith: '\Create-MultipleSessions.ps1'
TargetFilename|endswith: '\DNS_TXT_Pwnage.ps1'
TargetFilename|endswith: '\Do-Exfiltration.ps1'
TargetFilename|endswith: '\DomainPasswordSpray.ps1'
TargetFilename|endswith: '\Download-Execute-PS.ps1'
TargetFilename|endswith: '\Download_Execute.ps1'
TargetFilename|endswith: '\Enable-DuplicateToken.ps1'
TargetFilename|endswith: '\Enabled-DuplicateToken.ps1'
TargetFilename|endswith: '\Execute-Command-MSSQL.ps1'
TargetFilename|endswith: '\Execute-DNSTXT-Code.ps1'
TargetFilename|endswith: '\Execute-OnTime.ps1'
TargetFilename|endswith: '\ExetoText.ps1'
TargetFilename|endswith: '\Exploit-Jboss.ps1'
TargetFilename|endswith: '\Find-AVSignature.ps1'
TargetFilename|endswith: '\Find-Fruit.ps1'
TargetFilename|endswith: '\Find-GPOLocation.ps1'
TargetFilename|endswith: '\Find-TrustedDocuments.ps1'
TargetFilename|endswith: '\FireBuster.ps1'
TargetFilename|endswith: '\FireListener.ps1'
TargetFilename|endswith: '\Get-ApplicationHost.ps1'
TargetFilename|endswith: '\Get-ChromeDump.ps1'
TargetFilename|endswith: '\Get-ClipboardContents.ps1'
TargetFilename|endswith: '\Get-ComputerDetail.ps1'
TargetFilename|endswith: '\Get-FoxDump.ps1'
TargetFilename|endswith: '\Get-GPPAutologon.ps1'
TargetFilename|endswith: '\Get-GPPPassword.ps1'
TargetFilename|endswith: '\Get-IndexedItem.ps1'
TargetFilename|endswith: '\Get-Keystrokes.ps1'
TargetFilename|endswith: '\Get-LSASecret.ps1'
TargetFilename|endswith: '\Get-MicrophoneAudio.ps1'
TargetFilename|endswith: '\Get-PassHashes.ps1'
TargetFilename|endswith: '\Get-PassHints.ps1'
TargetFilename|endswith: '\Get-RegAlwaysInstallElevated.ps1'
TargetFilename|endswith: '\Get-RegAutoLogon.ps1'
TargetFilename|endswith: '\Get-RickAstley.ps1'
TargetFilename|endswith: '\Get-Screenshot.ps1'
TargetFilename|endswith: '\Get-SecurityPackages.ps1'
TargetFilename|endswith: '\Get-ServiceFilePermission.ps1'
TargetFilename|endswith: '\Get-ServicePermission.ps1'
TargetFilename|endswith: '\Get-ServiceUnquoted.ps1'
TargetFilename|endswith: '\Get-SiteListPassword.ps1'
TargetFilename|endswith: '\Get-System.ps1'
TargetFilename|endswith: '\Get-TimedScreenshot.ps1'
TargetFilename|endswith: '\Get-USBKeystrokes.ps1'
TargetFilename|endswith: '\Get-UnattendedInstallFile.ps1'
TargetFilename|endswith: '\Get-Unconstrained.ps1'
TargetFilename|endswith: '\Get-VaultCredential.ps1'
TargetFilename|endswith: '\Get-VulnAutoRun.ps1'
TargetFilename|endswith: '\Get-VulnSchTask.ps1'
TargetFilename|endswith: '\Get-WLAN-Keys.ps1'
TargetFilename|endswith: '\Get-WebConfig.ps1'
TargetFilename|endswith: '\Get-WebCredentials.ps1'
TargetFilename|endswith: '\Gupt-Backdoor.ps1'
TargetFilename|endswith: '\HTTP-Backdoor.ps1'
TargetFilename|endswith: '\HTTP-Login.ps1'
TargetFilename|endswith: '\Install-SSP.ps1'
TargetFilename|endswith: '\Install-ServiceBinary.ps1'
TargetFilename|endswith: '\Invoke-ACLScanner.ps1'
TargetFilename|endswith: '\Invoke-ADSBackdoor.ps1'
TargetFilename|endswith: '\Invoke-ARPScan.ps1'
TargetFilename|endswith: '\Invoke-AmsiBypass.ps1'
TargetFilename|endswith: '\Invoke-BackdoorLNK.ps1'
TargetFilename|endswith: '\Invoke-BadPotato.ps1'
TargetFilename|endswith: '\Invoke-BetterSafetyKatz.ps1'
TargetFilename|endswith: '\Invoke-BruteForce.ps1'
TargetFilename|endswith: '\Invoke-BypassUAC.ps1'
TargetFilename|endswith: '\Invoke-Carbuncle.ps1'
TargetFilename|endswith: '\Invoke-Certify.ps1'
TargetFilename|endswith: '\Invoke-ConPtyShell.ps1'
TargetFilename|endswith: '\Invoke-CredentialInjection.ps1'
TargetFilename|endswith: '\Invoke-CredentialsPhish.ps1'
TargetFilename|endswith: '\Invoke-DAFT.ps1'
TargetFilename|endswith: '\Invoke-DCSync.ps1'
TargetFilename|endswith: '\Invoke-DNSExfiltrator.ps1'
TargetFilename|endswith: '\Invoke-DNSUpdate.ps1'
TargetFilename|endswith: '\Invoke-Decode.ps1'
TargetFilename|endswith: '\Invoke-DinvokeKatz.ps1'
TargetFilename|endswith: '\Invoke-DllInjection.ps1'
TargetFilename|endswith: '\Invoke-DowngradeAccount.ps1'
TargetFilename|endswith: '\Invoke-EgressCheck.ps1'
TargetFilename|endswith: '\Invoke-Encode.ps1'
TargetFilename|endswith: '\Invoke-EventViewer.ps1'
TargetFilename|endswith: '\Invoke-Eyewitness.ps1'
TargetFilename|endswith: '\Invoke-FakeLogonScreen.ps1'
TargetFilename|endswith: '\Invoke-Farmer.ps1'
TargetFilename|endswith: '\Invoke-Get-RBCD-Threaded.ps1'
TargetFilename|endswith: '\Invoke-Gopher.ps1'
TargetFilename|endswith: '\Invoke-Grouper2.ps1'
TargetFilename|endswith: '\Invoke-Grouper3.ps1'
TargetFilename|endswith: '\Invoke-HandleKatz.ps1'
TargetFilename|endswith: '\Invoke-Interceptor.ps1'
TargetFilename|endswith: '\Invoke-Internalmonologue.ps1'
TargetFilename|endswith: '\Invoke-Inveigh.ps1'
TargetFilename|endswith: '\Invoke-InveighRelay.ps1'
TargetFilename|endswith: '\Invoke-JSRatRegsvr.ps1'
TargetFilename|endswith: '\Invoke-JSRatRundll.ps1'
TargetFilename|endswith: '\Invoke-KrbRelay.ps1'
TargetFilename|endswith: '\Invoke-KrbRelayUp.ps1'
TargetFilename|endswith: '\Invoke-LdapSignCheck.ps1'
TargetFilename|endswith: '\Invoke-Lockless.ps1'
TargetFilename|endswith: '\Invoke-MITM6.ps1'
TargetFilename|endswith: '\Invoke-MalSCCM.ps1'
TargetFilename|endswith: '\Invoke-Mimikatz.ps1'
TargetFilename|endswith: '\Invoke-MimikatzWDigestDowngrade.ps1'
TargetFilename|endswith: '\Invoke-Mimikittenz.ps1'
TargetFilename|endswith: '\Invoke-NanoDump.ps1'
TargetFilename|endswith: '\Invoke-NetRipper.ps1'
TargetFilename|endswith: '\Invoke-NetworkRelay.ps1'
TargetFilename|endswith: '\Invoke-NinjaCopy.ps1'
TargetFilename|endswith: '\Invoke-OxidResolver.ps1'
TargetFilename|endswith: '\Invoke-P0wnedshell.ps1'
TargetFilename|endswith: '\Invoke-P0wnedshellx86.ps1'
TargetFilename|endswith: '\Invoke-PPLDump.ps1'
TargetFilename|endswith: '\Invoke-PSInject.ps1'
TargetFilename|endswith: '\Invoke-Paranoia.ps1'
TargetFilename|endswith: '\Invoke-PortScan.ps1'
TargetFilename|endswith: '\Invoke-PoshRatHttp.ps1'
TargetFilename|endswith: '\Invoke-PoshRatHttps.ps1'
TargetFilename|endswith: '\Invoke-PostExfil.ps1'
TargetFilename|endswith: '\Invoke-PowerDPAPI.ps1'
TargetFilename|endswith: '\Invoke-PowerDump.ps1'
TargetFilename|endswith: '\Invoke-PowerShellIcmp.ps1'
TargetFilename|endswith: '\Invoke-PowerShellTCP.ps1'
TargetFilename|endswith: '\Invoke-PowerShellTcpOneLine.ps1'
TargetFilename|endswith: '\Invoke-PowerShellTcpOneLineBind.ps1'
TargetFilename|endswith: '\Invoke-PowerShellUdp.ps1'
TargetFilename|endswith: '\Invoke-PowerShellUdpOneLine.ps1'
TargetFilename|endswith: '\Invoke-PowerShellWMI.ps1'
TargetFilename|endswith: '\Invoke-PowerThIEf.ps1'
TargetFilename|endswith: '\Invoke-Prasadhak.ps1'
TargetFilename|endswith: '\Invoke-PsExec.ps1'
TargetFilename|endswith: '\Invoke-PsGcat.ps1'
TargetFilename|endswith: '\Invoke-PsGcatAgent.ps1'
TargetFilename|endswith: '\Invoke-PsUaCme.ps1'
TargetFilename|endswith: '\Invoke-ReflectivePEInjection.ps1'
TargetFilename|endswith: '\Invoke-ReverseDNSLookup.ps1'
TargetFilename|endswith: '\Invoke-Rubeus.ps1'
TargetFilename|endswith: '\Invoke-RunAs.ps1'
TargetFilename|endswith: '\Invoke-SCShell.ps1'
TargetFilename|endswith: '\Invoke-SMBScanner.ps1'
TargetFilename|endswith: '\Invoke-SSHCommand.ps1'
TargetFilename|endswith: '\Invoke-SSIDExfil.ps1'
TargetFilename|endswith: '\Invoke-SafetyKatz.ps1'
TargetFilename|endswith: '\Invoke-SauronEye.ps1'
TargetFilename|endswith: '\Invoke-Seatbelt.ps1'
TargetFilename|endswith: '\Invoke-ServiceAbuse.ps1'
TargetFilename|endswith: '\Invoke-SessionGopher.ps1'
TargetFilename|endswith: '\Invoke-ShellCode.ps1'
TargetFilename|endswith: '\Invoke-Snaffler.ps1'
TargetFilename|endswith: '\Invoke-Spoolsample.ps1'
TargetFilename|endswith: '\Invoke-StandIn.ps1'
TargetFilename|endswith: '\Invoke-StickyNotesExtract.ps1'
TargetFilename|endswith: '\Invoke-Tater.ps1'
TargetFilename|endswith: '\Invoke-ThunderStruck.ps1'
TargetFilename|endswith: '\Invoke-Thunderfox.ps1'
TargetFilename|endswith: '\Invoke-TokenManipulation.ps1'
TargetFilename|endswith: '\Invoke-Tokenvator.ps1'
TargetFilename|endswith: '\Invoke-TotalExec.ps1'
TargetFilename|endswith: '\Invoke-UrbanBishop.ps1'
TargetFilename|endswith: '\Invoke-UserHunter.ps1'
TargetFilename|endswith: '\Invoke-VoiceTroll.ps1'
TargetFilename|endswith: '\Invoke-WScriptBypassUAC.ps1'
TargetFilename|endswith: '\Invoke-Whisker.ps1'
TargetFilename|endswith: '\Invoke-WinEnum.ps1'
TargetFilename|endswith: '\Invoke-WireTap.ps1'
TargetFilename|endswith: '\Invoke-WmiCommand.ps1'
TargetFilename|endswith: '\Invoke-Zerologon.ps1'
TargetFilename|endswith: '\Invoke-winPEAS.ps1'
TargetFilename|endswith: '\Keylogger.ps1'
TargetFilename|endswith: '\MailRaider.ps1'
TargetFilename|endswith: '\New-HoneyHash.ps1'
TargetFilename|endswith: '\OfficeMemScraper.ps1'
TargetFilename|endswith: '\Offline_Winpwn.ps1'
TargetFilename|endswith: '\Out-CHM.ps1'
TargetFilename|endswith: '\Out-DnsTxt.ps1'
TargetFilename|endswith: '\Out-Excel.ps1'
TargetFilename|endswith: '\Out-HTA.ps1'
TargetFilename|endswith: '\Out-JS.ps1'
TargetFilename|endswith: '\Out-Java.ps1'
TargetFilename|endswith: '\Out-Minidump.ps1'
TargetFilename|endswith: '\Out-RundllCommand.ps1'
TargetFilename|endswith: '\Out-SCF.ps1'
TargetFilename|endswith: '\Out-SCT.ps1'
TargetFilename|endswith: '\Out-Shortcut.ps1'
TargetFilename|endswith: '\Out-WebQuery.ps1'
TargetFilename|endswith: '\Out-Word.ps1'
TargetFilename|endswith: '\PSAsyncShell.ps1'
TargetFilename|endswith: '\Parse_Keys.ps1'
TargetFilename|endswith: '\Port-Scan.ps1'
TargetFilename|endswith: '\PowerBreach.ps1'
TargetFilename|endswith: '\PowerRunAsSystem.psm1'
TargetFilename|endswith: '\PowerSharpPack.ps1'
TargetFilename|endswith: '\PowerUp.ps1'
TargetFilename|endswith: '\PowerUpSQL.ps1'
TargetFilename|endswith: '\PowerView.ps1'
TargetFilename|endswith: '\Powermad.ps1'
TargetFilename|endswith: '\RemoteHashRetrieval.ps1'
TargetFilename|endswith: '\Remove-Persistence.ps1'
TargetFilename|endswith: '\Remove-PoshRat.ps1'
TargetFilename|endswith: '\Remove-Update.ps1'
TargetFilename|endswith: '\Run-EXEonRemote.ps1'
TargetFilename|endswith: '\Schtasks-Backdoor.ps1'
TargetFilename|endswith: '\Set-DCShadowPermissions.ps1'
TargetFilename|endswith: '\Set-MacAttribute.ps1'
TargetFilename|endswith: '\Set-RemotePSRemoting.ps1'
TargetFilename|endswith: '\Set-RemoteWMI.ps1'
TargetFilename|endswith: '\Set-Wallpaper.ps1'
TargetFilename|endswith: '\Show-TargetScreen.ps1'
TargetFilename|endswith: '\Speak.ps1'
TargetFilename|endswith: '\Start-CaptureServer.ps1'
TargetFilename|endswith: '\Start-WebcamRecorder.ps1'
TargetFilename|endswith: '\StringToBase64.ps1'
TargetFilename|endswith: '\TexttoExe.ps1'
TargetFilename|endswith: '\Veeam-Get-Creds.ps1'
TargetFilename|endswith: '\VolumeShadowCopyTools.ps1'
TargetFilename|endswith: '\WSUSpendu.ps1'
TargetFilename|endswith: '\WinPwn.ps1'
TargetFilename|endswith: '\dnscat2.ps1'
TargetFilename|endswith: '\powercat.ps1'
Stage 2: 1 of selection_invoke_sharp
TargetFilename|endswith: .ps1
TargetFilename|contains: Invoke-Sharp
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
TargetFilename | ends_with |
|
TargetFilename | match |
|