Malicious PowerShell Scripts - PoshModule

Severity: high
Author: frack113, Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059.001` Command and Scripting Interpreter: PowerShell

Event coverage

Provider	Event ID	Title
PowerShell	4103	Payload Context: ContextInfo User Data: UserData.

Stages and Predicates

Stage 1: `1 of selection_generic`

or:
ContextInfo|contains: 'Add-ConstrainedDelegationBackdoor.ps1'
ContextInfo|contains: Add-Exfiltration.ps1
ContextInfo|contains: Add-Persistence.ps1
ContextInfo|contains: Add-RegBackdoor.ps1
ContextInfo|contains: Add-RemoteRegBackdoor.ps1
ContextInfo|contains: Add-ScrnSaveBackdoor.ps1
ContextInfo|contains: BadSuccessor.ps1
ContextInfo|contains: Check-VM.ps1
ContextInfo|contains: ConvertTo-ROT13.ps1
ContextInfo|contains: Copy-VSS.ps1
ContextInfo|contains: Create-MultipleSessions.ps1
ContextInfo|contains: DNS_TXT_Pwnage.ps1
ContextInfo|contains: Do-Exfiltration.ps1
ContextInfo|contains: DomainPasswordSpray.ps1
ContextInfo|contains: Download-Execute-PS.ps1
ContextInfo|contains: Download_Execute.ps1
ContextInfo|contains: Enable-DuplicateToken.ps1
ContextInfo|contains: Enabled-DuplicateToken.ps1
ContextInfo|contains: Execute-Command-MSSQL.ps1
ContextInfo|contains: Execute-DNSTXT-Code.ps1
ContextInfo|contains: Execute-OnTime.ps1
ContextInfo|contains: ExetoText.ps1
ContextInfo|contains: Exploit-Jboss.ps1
ContextInfo|contains: Find-AVSignature.ps1
ContextInfo|contains: Find-Fruit.ps1
ContextInfo|contains: Find-GPOLocation.ps1
ContextInfo|contains: Find-TrustedDocuments.ps1
ContextInfo|contains: FireBuster.ps1
ContextInfo|contains: FireListener.ps1
ContextInfo|contains: Get-ApplicationHost.ps1
ContextInfo|contains: Get-ChromeDump.ps1
ContextInfo|contains: Get-ClipboardContents.ps1
ContextInfo|contains: Get-ComputerDetail.ps1
ContextInfo|contains: Get-FoxDump.ps1
ContextInfo|contains: Get-GPPAutologon.ps1
ContextInfo|contains: Get-GPPPassword.ps1
ContextInfo|contains: Get-IndexedItem.ps1
ContextInfo|contains: Get-Keystrokes.ps1
ContextInfo|contains: Get-LSASecret.ps1
ContextInfo|contains: Get-MicrophoneAudio.ps1
ContextInfo|contains: Get-PassHashes.ps1
ContextInfo|contains: Get-PassHints.ps1
ContextInfo|contains: Get-RegAlwaysInstallElevated.ps1
ContextInfo|contains: Get-RegAutoLogon.ps1
ContextInfo|contains: Get-RickAstley.ps1
ContextInfo|contains: Get-Screenshot.ps1
ContextInfo|contains: Get-SecurityPackages.ps1
ContextInfo|contains: Get-ServiceFilePermission.ps1
ContextInfo|contains: Get-ServicePermission.ps1
ContextInfo|contains: Get-ServiceUnquoted.ps1
ContextInfo|contains: Get-SiteListPassword.ps1
ContextInfo|contains: Get-System.ps1
ContextInfo|contains: Get-TimedScreenshot.ps1
ContextInfo|contains: Get-USBKeystrokes.ps1
ContextInfo|contains: Get-UnattendedInstallFile.ps1
ContextInfo|contains: Get-Unconstrained.ps1
ContextInfo|contains: Get-VaultCredential.ps1
ContextInfo|contains: Get-VulnAutoRun.ps1
ContextInfo|contains: Get-VulnSchTask.ps1
ContextInfo|contains: Get-WLAN-Keys.ps1
ContextInfo|contains: Get-WebConfig.ps1
ContextInfo|contains: Get-WebCredentials.ps1
ContextInfo|contains: Gupt-Backdoor.ps1
ContextInfo|contains: HTTP-Backdoor.ps1
ContextInfo|contains: HTTP-Login.ps1
ContextInfo|contains: Install-SSP.ps1
ContextInfo|contains: Install-ServiceBinary.ps1
ContextInfo|contains: Invoke-ACLScanner.ps1
ContextInfo|contains: Invoke-ADSBackdoor.ps1
ContextInfo|contains: Invoke-ARPScan.ps1
ContextInfo|contains: Invoke-AmsiBypass.ps1
ContextInfo|contains: Invoke-BackdoorLNK.ps1
ContextInfo|contains: Invoke-BadPotato.ps1
ContextInfo|contains: Invoke-BetterSafetyKatz.ps1
ContextInfo|contains: Invoke-BruteForce.ps1
ContextInfo|contains: Invoke-BypassUAC.ps1
ContextInfo|contains: Invoke-Carbuncle.ps1
ContextInfo|contains: Invoke-Certify.ps1
ContextInfo|contains: Invoke-ConPtyShell.ps1
ContextInfo|contains: Invoke-CredentialInjection.ps1
ContextInfo|contains: Invoke-CredentialsPhish.ps1
ContextInfo|contains: Invoke-DAFT.ps1
ContextInfo|contains: Invoke-DCSync.ps1
ContextInfo|contains: Invoke-DNSExfiltrator.ps1
ContextInfo|contains: Invoke-Decode.ps1
ContextInfo|contains: Invoke-DinvokeKatz.ps1
ContextInfo|contains: Invoke-DllInjection.ps1
ContextInfo|contains: Invoke-DowngradeAccount.ps1
ContextInfo|contains: Invoke-EgressCheck.ps1
ContextInfo|contains: Invoke-Encode.ps1
ContextInfo|contains: Invoke-EventViewer.ps1
ContextInfo|contains: Invoke-Eyewitness.ps1
ContextInfo|contains: Invoke-FakeLogonScreen.ps1
ContextInfo|contains: Invoke-Farmer.ps1
ContextInfo|contains: Invoke-Get-RBCD-Threaded.ps1
ContextInfo|contains: Invoke-Gopher.ps1
ContextInfo|contains: Invoke-Grouper2.ps1
ContextInfo|contains: Invoke-Grouper3.ps1
ContextInfo|contains: Invoke-HandleKatz.ps1
ContextInfo|contains: Invoke-Interceptor.ps1
ContextInfo|contains: Invoke-Internalmonologue.ps1
ContextInfo|contains: Invoke-Inveigh.ps1
ContextInfo|contains: Invoke-InveighRelay.ps1
ContextInfo|contains: Invoke-JSRatRegsvr.ps1
ContextInfo|contains: Invoke-JSRatRundll.ps1
ContextInfo|contains: Invoke-KrbRelay.ps1
ContextInfo|contains: Invoke-KrbRelayUp.ps1
ContextInfo|contains: Invoke-LdapSignCheck.ps1
ContextInfo|contains: Invoke-Lockless.ps1
ContextInfo|contains: Invoke-MITM6.ps1
ContextInfo|contains: Invoke-MalSCCM.ps1
ContextInfo|contains: Invoke-Mimikatz.ps1
ContextInfo|contains: 'Invoke-MimikatzWDigestDowngrade.ps1'
ContextInfo|contains: Invoke-Mimikittenz.ps1
ContextInfo|contains: Invoke-NanoDump.ps1
ContextInfo|contains: Invoke-NetRipper.ps1
ContextInfo|contains: Invoke-NetworkRelay.ps1
ContextInfo|contains: Invoke-NinjaCopy.ps1
ContextInfo|contains: Invoke-OxidResolver.ps1
ContextInfo|contains: Invoke-P0wnedshell.ps1
ContextInfo|contains: Invoke-P0wnedshellx86.ps1
ContextInfo|contains: Invoke-PPLDump.ps1
ContextInfo|contains: Invoke-PSInject.ps1
ContextInfo|contains: Invoke-Paranoia.ps1
ContextInfo|contains: Invoke-PortScan.ps1
ContextInfo|contains: Invoke-PoshRatHttp.ps1
ContextInfo|contains: Invoke-PoshRatHttps.ps1
ContextInfo|contains: Invoke-PostExfil.ps1
ContextInfo|contains: Invoke-PowerDPAPI.ps1
ContextInfo|contains: Invoke-PowerDump.ps1
ContextInfo|contains: Invoke-PowerShellIcmp.ps1
ContextInfo|contains: Invoke-PowerShellTCP.ps1
ContextInfo|contains: Invoke-PowerShellTcpOneLine.ps1
ContextInfo|contains: 'Invoke-PowerShellTcpOneLineBind.ps1'
ContextInfo|contains: Invoke-PowerShellUdp.ps1
ContextInfo|contains: Invoke-PowerShellUdpOneLine.ps1
ContextInfo|contains: Invoke-PowerShellWMI.ps1
ContextInfo|contains: Invoke-PowerThIEf.ps1
ContextInfo|contains: Invoke-Prasadhak.ps1
ContextInfo|contains: Invoke-PsExec.ps1
ContextInfo|contains: Invoke-PsGcat.ps1
ContextInfo|contains: Invoke-PsGcatAgent.ps1
ContextInfo|contains: Invoke-PsUaCme.ps1
ContextInfo|contains: Invoke-ReflectivePEInjection.ps1
ContextInfo|contains: Invoke-ReverseDNSLookup.ps1
ContextInfo|contains: Invoke-Rubeus.ps1
ContextInfo|contains: Invoke-RunAs.ps1
ContextInfo|contains: Invoke-SCShell.ps1
ContextInfo|contains: Invoke-SMBScanner.ps1
ContextInfo|contains: Invoke-SSHCommand.ps1
ContextInfo|contains: Invoke-SSIDExfil.ps1
ContextInfo|contains: Invoke-SafetyKatz.ps1
ContextInfo|contains: Invoke-SauronEye.ps1
ContextInfo|contains: Invoke-Seatbelt.ps1
ContextInfo|contains: Invoke-ServiceAbuse.ps1
ContextInfo|contains: Invoke-SessionGopher.ps1
ContextInfo|contains: Invoke-ShellCode.ps1
ContextInfo|contains: Invoke-Snaffler.ps1
ContextInfo|contains: Invoke-Spoolsample.ps1
ContextInfo|contains: Invoke-StandIn.ps1
ContextInfo|contains: Invoke-StickyNotesExtract.ps1
ContextInfo|contains: Invoke-Tater.ps1
ContextInfo|contains: Invoke-ThunderStruck.ps1
ContextInfo|contains: Invoke-Thunderfox.ps1
ContextInfo|contains: Invoke-TokenManipulation.ps1
ContextInfo|contains: Invoke-Tokenvator.ps1
ContextInfo|contains: Invoke-TotalExec.ps1
ContextInfo|contains: Invoke-UrbanBishop.ps1
ContextInfo|contains: Invoke-UserHunter.ps1
ContextInfo|contains: Invoke-VoiceTroll.ps1
ContextInfo|contains: Invoke-WScriptBypassUAC.ps1
ContextInfo|contains: Invoke-Whisker.ps1
ContextInfo|contains: Invoke-WinEnum.ps1
ContextInfo|contains: Invoke-WireTap.ps1
ContextInfo|contains: Invoke-WmiCommand.ps1
ContextInfo|contains: Invoke-Zerologon.ps1
ContextInfo|contains: Invoke-winPEAS.ps1
ContextInfo|contains: Keylogger.ps1
ContextInfo|contains: MailRaider.ps1
ContextInfo|contains: New-HoneyHash.ps1
ContextInfo|contains: OfficeMemScraper.ps1
ContextInfo|contains: Offline_Winpwn.ps1
ContextInfo|contains: Out-CHM.ps1
ContextInfo|contains: Out-DnsTxt.ps1
ContextInfo|contains: Out-Excel.ps1
ContextInfo|contains: Out-HTA.ps1
ContextInfo|contains: Out-JS.ps1
ContextInfo|contains: Out-Java.ps1
ContextInfo|contains: Out-Minidump.ps1
ContextInfo|contains: Out-RundllCommand.ps1
ContextInfo|contains: Out-SCF.ps1
ContextInfo|contains: Out-SCT.ps1
ContextInfo|contains: Out-Shortcut.ps1
ContextInfo|contains: Out-WebQuery.ps1
ContextInfo|contains: Out-Word.ps1
ContextInfo|contains: PSAsyncShell.ps1
ContextInfo|contains: Parse_Keys.ps1
ContextInfo|contains: Port-Scan.ps1
ContextInfo|contains: PowerBreach.ps1
ContextInfo|contains: PowerRunAsSystem.psm1
ContextInfo|contains: PowerSharpPack.ps1
ContextInfo|contains: PowerUp.ps1
ContextInfo|contains: PowerUpSQL.ps1
ContextInfo|contains: PowerView.ps1
ContextInfo|contains: RemoteHashRetrieval.ps1
ContextInfo|contains: Remove-Persistence.ps1
ContextInfo|contains: Remove-PoshRat.ps1
ContextInfo|contains: Remove-Update.ps1
ContextInfo|contains: Run-EXEonRemote.ps1
ContextInfo|contains: Schtasks-Backdoor.ps1
ContextInfo|contains: Set-DCShadowPermissions.ps1
ContextInfo|contains: Set-MacAttribute.ps1
ContextInfo|contains: Set-RemotePSRemoting.ps1
ContextInfo|contains: Set-RemoteWMI.ps1
ContextInfo|contains: Set-Wallpaper.ps1
ContextInfo|contains: Show-TargetScreen.ps1
ContextInfo|contains: Speak.ps1
ContextInfo|contains: Start-CaptureServer.ps1
ContextInfo|contains: Start-WebcamRecorder.ps1
ContextInfo|contains: StringToBase64.ps1
ContextInfo|contains: TexttoExe.ps1
ContextInfo|contains: Veeam-Get-Creds.ps1
ContextInfo|contains: VolumeShadowCopyTools.ps1
ContextInfo|contains: WSUSpendu.ps1
ContextInfo|contains: WinPwn.ps1
ContextInfo|contains: dnscat2.ps1
ContextInfo|contains: powercat.ps1

Stage 2: `1 of selection_invoke_sharp`

ContextInfo|contains: .ps1
ContextInfo|contains: Invoke-Sharp

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`ContextInfo`	match	`.ps1` `Add-ConstrainedDelegationBackdoor.ps1` `Add-Exfiltration.ps1` `Add-Persistence.ps1` `Add-RegBackdoor.ps1` `Add-RemoteRegBackdoor.ps1` `Add-ScrnSaveBackdoor.ps1` `BadSuccessor.ps1` `Check-VM.ps1` `ConvertTo-ROT13.ps1` `Copy-VSS.ps1` `Create-MultipleSessions.ps1` `DNS_TXT_Pwnage.ps1` `Do-Exfiltration.ps1` `DomainPasswordSpray.ps1` `Download-Execute-PS.ps1` `Download_Execute.ps1` `Enable-DuplicateToken.ps1` `Enabled-DuplicateToken.ps1` `Execute-Command-MSSQL.ps1` `Execute-DNSTXT-Code.ps1` `Execute-OnTime.ps1` `ExetoText.ps1` `Exploit-Jboss.ps1` `Find-AVSignature.ps1` `Find-Fruit.ps1` `Find-GPOLocation.ps1` `Find-TrustedDocuments.ps1` `FireBuster.ps1` `FireListener.ps1` `Get-ApplicationHost.ps1` `Get-ChromeDump.ps1` `Get-ClipboardContents.ps1` `Get-ComputerDetail.ps1` `Get-FoxDump.ps1` `Get-GPPAutologon.ps1` `Get-GPPPassword.ps1` `Get-IndexedItem.ps1` `Get-Keystrokes.ps1` `Get-LSASecret.ps1` `Get-MicrophoneAudio.ps1` `Get-PassHashes.ps1` `Get-PassHints.ps1` `Get-RegAlwaysInstallElevated.ps1` `Get-RegAutoLogon.ps1` `Get-RickAstley.ps1` `Get-Screenshot.ps1` `Get-SecurityPackages.ps1` `Get-ServiceFilePermission.ps1` `Get-ServicePermission.ps1` `Get-ServiceUnquoted.ps1` `Get-SiteListPassword.ps1` `Get-System.ps1` `Get-TimedScreenshot.ps1` `Get-USBKeystrokes.ps1` `Get-UnattendedInstallFile.ps1` `Get-Unconstrained.ps1` `Get-VaultCredential.ps1` `Get-VulnAutoRun.ps1` `Get-VulnSchTask.ps1` `Get-WLAN-Keys.ps1` `Get-WebConfig.ps1` `Get-WebCredentials.ps1` `Gupt-Backdoor.ps1` `HTTP-Backdoor.ps1` `HTTP-Login.ps1` `Install-SSP.ps1` `Install-ServiceBinary.ps1` `Invoke-ACLScanner.ps1` `Invoke-ADSBackdoor.ps1` `Invoke-ARPScan.ps1` `Invoke-AmsiBypass.ps1` `Invoke-BackdoorLNK.ps1` `Invoke-BadPotato.ps1` `Invoke-BetterSafetyKatz.ps1` `Invoke-BruteForce.ps1` `Invoke-BypassUAC.ps1` `Invoke-Carbuncle.ps1` `Invoke-Certify.ps1` `Invoke-ConPtyShell.ps1` `Invoke-CredentialInjection.ps1` `Invoke-CredentialsPhish.ps1` `Invoke-DAFT.ps1` `Invoke-DCSync.ps1` `Invoke-DNSExfiltrator.ps1` `Invoke-Decode.ps1` `Invoke-DinvokeKatz.ps1` `Invoke-DllInjection.ps1` `Invoke-DowngradeAccount.ps1` `Invoke-EgressCheck.ps1` `Invoke-Encode.ps1` `Invoke-EventViewer.ps1` `Invoke-Eyewitness.ps1` `Invoke-FakeLogonScreen.ps1` `Invoke-Farmer.ps1` `Invoke-Get-RBCD-Threaded.ps1` `Invoke-Gopher.ps1` `Invoke-Grouper2.ps1` `Invoke-Grouper3.ps1` `Invoke-HandleKatz.ps1` `Invoke-Interceptor.ps1` `Invoke-Internalmonologue.ps1` `Invoke-Inveigh.ps1` `Invoke-InveighRelay.ps1` `Invoke-JSRatRegsvr.ps1` `Invoke-JSRatRundll.ps1` `Invoke-KrbRelay.ps1` `Invoke-KrbRelayUp.ps1` `Invoke-LdapSignCheck.ps1` `Invoke-Lockless.ps1` `Invoke-MITM6.ps1` `Invoke-MalSCCM.ps1` `Invoke-Mimikatz.ps1` `Invoke-MimikatzWDigestDowngrade.ps1` `Invoke-Mimikittenz.ps1` `Invoke-NanoDump.ps1` `Invoke-NetRipper.ps1` `Invoke-NetworkRelay.ps1` `Invoke-NinjaCopy.ps1` `Invoke-OxidResolver.ps1` `Invoke-P0wnedshell.ps1` `Invoke-P0wnedshellx86.ps1` `Invoke-PPLDump.ps1` `Invoke-PSInject.ps1` `Invoke-Paranoia.ps1` `Invoke-PortScan.ps1` `Invoke-PoshRatHttp.ps1` `Invoke-PoshRatHttps.ps1` `Invoke-PostExfil.ps1` `Invoke-PowerDPAPI.ps1` `Invoke-PowerDump.ps1` `Invoke-PowerShellIcmp.ps1` `Invoke-PowerShellTCP.ps1` `Invoke-PowerShellTcpOneLine.ps1` `Invoke-PowerShellTcpOneLineBind.ps1` `Invoke-PowerShellUdp.ps1` `Invoke-PowerShellUdpOneLine.ps1` `Invoke-PowerShellWMI.ps1` `Invoke-PowerThIEf.ps1` `Invoke-Prasadhak.ps1` `Invoke-PsExec.ps1` `Invoke-PsGcat.ps1` `Invoke-PsGcatAgent.ps1` `Invoke-PsUaCme.ps1` `Invoke-ReflectivePEInjection.ps1` `Invoke-ReverseDNSLookup.ps1` `Invoke-Rubeus.ps1` `Invoke-RunAs.ps1` `Invoke-SCShell.ps1` `Invoke-SMBScanner.ps1` `Invoke-SSHCommand.ps1` `Invoke-SSIDExfil.ps1` `Invoke-SafetyKatz.ps1` `Invoke-SauronEye.ps1` `Invoke-Seatbelt.ps1` `Invoke-ServiceAbuse.ps1` `Invoke-SessionGopher.ps1` `Invoke-Sharp` `Invoke-ShellCode.ps1` `Invoke-Snaffler.ps1` `Invoke-Spoolsample.ps1` `Invoke-StandIn.ps1` `Invoke-StickyNotesExtract.ps1` `Invoke-Tater.ps1` `Invoke-ThunderStruck.ps1` `Invoke-Thunderfox.ps1` `Invoke-TokenManipulation.ps1` `Invoke-Tokenvator.ps1` `Invoke-TotalExec.ps1` `Invoke-UrbanBishop.ps1` `Invoke-UserHunter.ps1` `Invoke-VoiceTroll.ps1` `Invoke-WScriptBypassUAC.ps1` `Invoke-Whisker.ps1` `Invoke-WinEnum.ps1` `Invoke-WireTap.ps1` `Invoke-WmiCommand.ps1` `Invoke-Zerologon.ps1` `Invoke-winPEAS.ps1` `Keylogger.ps1` `MailRaider.ps1` `New-HoneyHash.ps1` `OfficeMemScraper.ps1` `Offline_Winpwn.ps1` `Out-CHM.ps1` `Out-DnsTxt.ps1` `Out-Excel.ps1` `Out-HTA.ps1` `Out-JS.ps1` `Out-Java.ps1` `Out-Minidump.ps1` `Out-RundllCommand.ps1` `Out-SCF.ps1` `Out-SCT.ps1` `Out-Shortcut.ps1` `Out-WebQuery.ps1` `Out-Word.ps1` `PSAsyncShell.ps1` `Parse_Keys.ps1` `Port-Scan.ps1` `PowerBreach.ps1` `PowerRunAsSystem.psm1` `PowerSharpPack.ps1` `PowerUp.ps1` `PowerUpSQL.ps1` `PowerView.ps1` `RemoteHashRetrieval.ps1` `Remove-Persistence.ps1` `Remove-PoshRat.ps1` `Remove-Update.ps1` `Run-EXEonRemote.ps1` `Schtasks-Backdoor.ps1` `Set-DCShadowPermissions.ps1` `Set-MacAttribute.ps1` `Set-RemotePSRemoting.ps1` `Set-RemoteWMI.ps1` `Set-Wallpaper.ps1` `Show-TargetScreen.ps1` `Speak.ps1` `Start-CaptureServer.ps1` `Start-WebcamRecorder.ps1` `StringToBase64.ps1` `TexttoExe.ps1` `Veeam-Get-Creds.ps1` `VolumeShadowCopyTools.ps1` `WSUSpendu.ps1` `WinPwn.ps1` `dnscat2.ps1` `powercat.ps1`