Malicious PowerShell Commandlets - PoshModule

Severity: high
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects Commandlet names from well-known PowerShell exploitation frameworks

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059.001` Command and Scripting Interpreter: PowerShell
Discovery	`T1069` Permission Groups Discovery, `T1069.001` Permission Groups Discovery: Local Groups, `T1069.002` Permission Groups Discovery: Domain Groups, `T1087` Account Discovery, `T1087.001` Account Discovery: Local Account, `T1087.002` Account Discovery: Domain Account, `T1482` Domain Trust Discovery

Event coverage

Provider	Event ID	Title
PowerShell	4103	Payload Context: ContextInfo User Data: UserData.

Stages and Predicates

Stage 1: `selection`

or:
Payload|contains: Add-Exfiltration
Payload|contains: Add-Persistence
Payload|contains: Add-RegBackdoor
Payload|contains: Add-RemoteRegBackdoor
Payload|contains: Add-ScrnSaveBackdoor
Payload|contains: BadSuccessor
Payload|contains: Check-VM
Payload|contains: ConvertTo-Rc4ByteStream
Payload|contains: Decrypt-Hash
Payload|contains: Disable-ADIDNSNode
Payload|contains: Disable-MachineAccount
Payload|contains: Do-Exfiltration
Payload|contains: Enable-ADIDNSNode
Payload|contains: Enable-MachineAccount
Payload|contains: Enabled-DuplicateToken
Payload|contains: Exploit-Jboss
Payload|contains: Export-ADR
Payload|contains: Export-ADRCSV
Payload|contains: Export-ADRExcel
Payload|contains: Export-ADRHTML
Payload|contains: Export-ADRJSON
Payload|contains: Export-ADRXML
Payload|contains: Find-Fruit
Payload|contains: Find-GPOLocation
Payload|contains: Find-TrustedDocuments
Payload|contains: Get-ADIDNS
Payload|contains: Get-ApplicationHost
Payload|contains: Get-ChromeDump
Payload|contains: Get-ClipboardContents
Payload|contains: Get-FoxDump
Payload|contains: Get-GPPPassword
Payload|contains: Get-IndexedItem
Payload|contains: Get-KerberosAESKey
Payload|contains: Get-Keystrokes
Payload|contains: Get-LSASecret
Payload|contains: Get-MachineAccountAttribute
Payload|contains: Get-MachineAccountCreator
Payload|contains: Get-PassHashes
Payload|contains: Get-RegAlwaysInstallElevated
Payload|contains: Get-RegAutoLogon
Payload|contains: Get-RemoteBootKey
Payload|contains: Get-RemoteCachedCredential
Payload|contains: Get-RemoteLSAKey
Payload|contains: Get-RemoteLocalAccountHash
Payload|contains: Get-RemoteMachineAccountHash
Payload|contains: Get-RemoteNLKMKey
Payload|contains: Get-RickAstley
Payload|contains: Get-Screenshot
Payload|contains: Get-SecurityPackages
Payload|contains: Get-ServiceFilePermission
Payload|contains: Get-ServicePermission
Payload|contains: Get-ServiceUnquoted
Payload|contains: Get-SiteListPassword
Payload|contains: Get-System
Payload|contains: Get-TimedScreenshot
Payload|contains: Get-USBKeystrokes
Payload|contains: Get-UnattendedInstallFile
Payload|contains: Get-Unconstrained
Payload|contains: Get-VaultCredential
Payload|contains: Get-VulnAutoRun
Payload|contains: Get-VulnSchTask
Payload|contains: Grant-ADIDNSPermission
Payload|contains: Gupt-Backdoor
Payload|contains: HTTP-Login
Payload|contains: Install-SSP
Payload|contains: Install-ServiceBinary
Payload|contains: Invoke-ACLScanner
Payload|contains: Invoke-ADRecon
Payload|contains: Invoke-ADSBackdoor
Payload|contains: Invoke-ARPScan
Payload|contains: Invoke-AgentSmith
Payload|contains: Invoke-AllChecks
Payload|contains: Invoke-AzureHound
Payload|contains: Invoke-BackdoorLNK
Payload|contains: Invoke-BadPotato
Payload|contains: Invoke-BetterSafetyKatz
Payload|contains: Invoke-BypassUAC
Payload|contains: Invoke-Carbuncle
Payload|contains: Invoke-Certify
Payload|contains: Invoke-ConPtyShell
Payload|contains: Invoke-CredentialInjection
Payload|contains: Invoke-DAFT
Payload|contains: Invoke-DCSync
Payload|contains: Invoke-DNSExfiltrator
Payload|contains: Invoke-DNSUpdate
Payload|contains: Invoke-DinvokeKatz
Payload|contains: Invoke-DllInjection
Payload|contains: Invoke-DomainPasswordSpray
Payload|contains: Invoke-DowngradeAccount
Payload|contains: Invoke-EgressCheck
Payload|contains: Invoke-Eyewitness
Payload|contains: Invoke-FakeLogonScreen
Payload|contains: Invoke-Farmer
Payload|contains: Invoke-Get-RBCD-Threaded
Payload|contains: Invoke-Gopher
Payload|contains: Invoke-Grouper
Payload|contains: Invoke-HandleKatz
Payload|contains: Invoke-ImpersonateSystem
Payload|contains: Invoke-ImpersonatedProcess
Payload|contains: 'Invoke-InteractiveSystemPowerShell'
Payload|contains: Invoke-Internalmonologue
Payload|contains: Invoke-Inveigh
Payload|contains: Invoke-InveighRelay
Payload|contains: Invoke-KrbRelay
Payload|contains: Invoke-LdapSignCheck
Payload|contains: Invoke-Lockless
Payload|contains: Invoke-MITM6
Payload|contains: Invoke-MalSCCM
Payload|contains: Invoke-Mimikatz
Payload|contains: Invoke-Mimikittenz
Payload|contains: Invoke-NanoDump
Payload|contains: Invoke-NetRipper
Payload|contains: Invoke-Nightmare
Payload|contains: Invoke-NinjaCopy
Payload|contains: Invoke-OfficeScrape
Payload|contains: Invoke-OxidResolver
Payload|contains: Invoke-P0wnedshell
Payload|contains: Invoke-PPLDump
Payload|contains: Invoke-PSInject
Payload|contains: Invoke-Paranoia
Payload|contains: Invoke-PortScan
Payload|contains: Invoke-PoshRatHttp
Payload|contains: Invoke-PostExfil
Payload|contains: Invoke-PowerDPAPI
Payload|contains: Invoke-PowerDump
Payload|contains: Invoke-PowerShellTCP
Payload|contains: Invoke-PowerShellWMI
Payload|contains: Invoke-PsExec
Payload|contains: Invoke-PsUaCme
Payload|contains: Invoke-ReflectivePEInjection
Payload|contains: Invoke-ReverseDNSLookup
Payload|contains: Invoke-Rubeus
Payload|contains: Invoke-RunAs
Payload|contains: Invoke-SCShell
Payload|contains: Invoke-SMBScanner
Payload|contains: Invoke-SSHCommand
Payload|contains: Invoke-SafetyKatz
Payload|contains: Invoke-SauronEye
Payload|contains: Invoke-Seatbelt
Payload|contains: Invoke-ServiceAbuse
Payload|contains: Invoke-ShadowSpray
Payload|contains: Invoke-Sharp
Payload|contains: Invoke-Shellcode
Payload|contains: Invoke-Snaffler
Payload|contains: Invoke-Spoolsample
Payload|contains: Invoke-SpraySinglePassword
Payload|contains: Invoke-StandIn
Payload|contains: Invoke-StickyNotesExtract
Payload|contains: Invoke-SystemCommand
Payload|contains: Invoke-Tasksbackdoor
Payload|contains: Invoke-Tater
Payload|contains: Invoke-ThunderStruck
Payload|contains: Invoke-Thunderfox
Payload|contains: Invoke-TokenManipulation
Payload|contains: Invoke-Tokenvator
Payload|contains: Invoke-TotalExec
Payload|contains: Invoke-UrbanBishop
Payload|contains: Invoke-UserHunter
Payload|contains: Invoke-VoiceTroll
Payload|contains: Invoke-WMIExec
Payload|contains: Invoke-WScriptBypassUAC
Payload|contains: Invoke-Whisker
Payload|contains: Invoke-WinEnum
Payload|contains: Invoke-WireTap
Payload|contains: Invoke-WmiCommand
Payload|contains: Invoke-Zerologon
Payload|contains: Invoke-winPEAS
Payload|contains: MailRaider
Payload|contains: New-ADIDNSNode
Payload|contains: New-DNSRecordArray
Payload|contains: New-HoneyHash
Payload|contains: New-InMemoryModule
Payload|contains: New-MachineAccount
Payload|contains: New-SOASerialNumberArray
Payload|contains: Out-Minidump
Payload|contains: Port-Scan
Payload|contains: PowerBreach
Payload|contains: PowerUp
Payload|contains: PowerView
Payload|contains: Remove-ADIDNSNode
Payload|contains: Remove-MachineAccount
Payload|contains: Remove-Update
Payload|contains: Rename-ADIDNSNode
Payload|contains: Revoke-ADIDNSPermission
Payload|contains: Set-ADIDNSNode
Payload|contains: Set-MacAttribute
Payload|contains: Set-MachineAccountAttribute
Payload|contains: Set-Wallpaper
Payload|contains: Show-TargetScreen
Payload|contains: Start-CaptureServer
Payload|contains: Start-Dnscat2
Payload|contains: Start-WebcamRecorder
Payload|contains: Veeam-Get-Creds
Payload|contains: VolumeShadowCopyTools
Payload|contains: 'powercat '

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.