Malicious PowerShell Commandlets - ScriptBlock

Severity: high
Author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
Source: upstream

Detects Commandlet names from well-known PowerShell exploitation frameworks

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059.001` Command and Scripting Interpreter: PowerShell
Discovery	`T1069` Permission Groups Discovery, `T1069.001` Permission Groups Discovery: Local Groups, `T1069.002` Permission Groups Discovery: Domain Groups, `T1087` Account Discovery, `T1087.001` Account Discovery: Local Account, `T1087.002` Account Discovery: Domain Account, `T1482` Domain Trust Discovery

Event coverage

Provider	Event ID	Title
PowerShell	4104	Creating Scriptblock text (MessageNumber of MessageTotal).

Stages and Predicates

Stage 1: `selection`

or:
ScriptBlockText|contains: Add-Exfiltration
ScriptBlockText|contains: Add-Persistence
ScriptBlockText|contains: Add-RegBackdoor
ScriptBlockText|contains: Add-RemoteRegBackdoor
ScriptBlockText|contains: Add-ScrnSaveBackdoor
ScriptBlockText|contains: ConvertTo-Rc4ByteStream
ScriptBlockText|contains: Decrypt-Hash
ScriptBlockText|contains: Disable-ADIDNSNode
ScriptBlockText|contains: Do-Exfiltration
ScriptBlockText|contains: Enable-ADIDNSNode
ScriptBlockText|contains: Enabled-DuplicateToken
ScriptBlockText|contains: Exploit-Jboss
ScriptBlockText|contains: Export-ADRCSV
ScriptBlockText|contains: Export-ADRExcel
ScriptBlockText|contains: Export-ADRHTML
ScriptBlockText|contains: Export-ADRJSON
ScriptBlockText|contains: Export-ADRXML
ScriptBlockText|contains: Find-Fruit
ScriptBlockText|contains: Find-GPOLocation
ScriptBlockText|contains: Find-TrustedDocuments
ScriptBlockText|contains: Get-ADIDNSNodeAttribute
ScriptBlockText|contains: Get-ADIDNSNodeOwner
ScriptBlockText|contains: Get-ADIDNSNodeTombstoned
ScriptBlockText|contains: Get-ADIDNSPermission
ScriptBlockText|contains: Get-ADIDNSZone
ScriptBlockText|contains: Get-ChromeDump
ScriptBlockText|contains: Get-ClipboardContents
ScriptBlockText|contains: Get-FoxDump
ScriptBlockText|contains: Get-GPPPassword
ScriptBlockText|contains: Get-IndexedItem
ScriptBlockText|contains: Get-KerberosAESKey
ScriptBlockText|contains: Get-Keystrokes
ScriptBlockText|contains: Get-LSASecret
ScriptBlockText|contains: Get-PassHashes
ScriptBlockText|contains: Get-RegAlwaysInstallElevated
ScriptBlockText|contains: Get-RegAutoLogon
ScriptBlockText|contains: Get-RemoteBootKey
ScriptBlockText|contains: Get-RemoteCachedCredential
ScriptBlockText|contains: Get-RemoteLSAKey
ScriptBlockText|contains: Get-RemoteLocalAccountHash
ScriptBlockText|contains: Get-RemoteMachineAccountHash
ScriptBlockText|contains: Get-RemoteNLKMKey
ScriptBlockText|contains: Get-RickAstley
ScriptBlockText|contains: Get-SecurityPackages
ScriptBlockText|contains: Get-ServiceFilePermission
ScriptBlockText|contains: Get-ServicePermission
ScriptBlockText|contains: Get-ServiceUnquoted
ScriptBlockText|contains: Get-SiteListPassword
ScriptBlockText|contains: Get-System
ScriptBlockText|contains: Get-TimedScreenshot
ScriptBlockText|contains: Get-USBKeystrokes
ScriptBlockText|contains: Get-UnattendedInstallFile
ScriptBlockText|contains: Get-Unconstrained
ScriptBlockText|contains: Get-VaultCredential
ScriptBlockText|contains: Get-VulnAutoRun
ScriptBlockText|contains: Get-VulnSchTask
ScriptBlockText|contains: Grant-ADIDNSPermission
ScriptBlockText|contains: Gupt-Backdoor
ScriptBlockText|contains: Invoke-ACLScanner
ScriptBlockText|contains: Invoke-ADRecon
ScriptBlockText|contains: Invoke-ADSBackdoor
ScriptBlockText|contains: Invoke-ARPScan
ScriptBlockText|contains: Invoke-AgentSmith
ScriptBlockText|contains: Invoke-AllChecks
ScriptBlockText|contains: Invoke-AzureHound
ScriptBlockText|contains: Invoke-BackdoorLNK
ScriptBlockText|contains: Invoke-BadPotato
ScriptBlockText|contains: Invoke-BetterSafetyKatz
ScriptBlockText|contains: Invoke-BypassUAC
ScriptBlockText|contains: Invoke-Carbuncle
ScriptBlockText|contains: Invoke-Certify
ScriptBlockText|contains: Invoke-ConPtyShell
ScriptBlockText|contains: Invoke-CredentialInjection
ScriptBlockText|contains: Invoke-DAFT
ScriptBlockText|contains: Invoke-DCSync
ScriptBlockText|contains: Invoke-DNSExfiltrator
ScriptBlockText|contains: Invoke-DNSUpdate
ScriptBlockText|contains: Invoke-DinvokeKatz
ScriptBlockText|contains: Invoke-DllInjection
ScriptBlockText|contains: Invoke-DomainPasswordSpray
ScriptBlockText|contains: Invoke-DowngradeAccount
ScriptBlockText|contains: Invoke-EgressCheck
ScriptBlockText|contains: Invoke-Eyewitness
ScriptBlockText|contains: Invoke-FakeLogonScreen
ScriptBlockText|contains: Invoke-Farmer
ScriptBlockText|contains: Invoke-Get-RBCD-Threaded
ScriptBlockText|contains: Invoke-Gopher
ScriptBlockText|contains: Invoke-Grouper
ScriptBlockText|contains: Invoke-HandleKatz
ScriptBlockText|contains: Invoke-ImpersonateSystem
ScriptBlockText|contains: Invoke-ImpersonatedProcess
ScriptBlockText|contains: 'Invoke-InteractiveSystemPowerShell'
ScriptBlockText|contains: Invoke-Internalmonologue
ScriptBlockText|contains: Invoke-Inveigh
ScriptBlockText|contains: Invoke-InveighRelay
ScriptBlockText|contains: Invoke-KrbRelay
ScriptBlockText|contains: Invoke-LdapSignCheck
ScriptBlockText|contains: Invoke-Lockless
ScriptBlockText|contains: Invoke-MITM6
ScriptBlockText|contains: Invoke-MalSCCM
ScriptBlockText|contains: Invoke-Mimikatz
ScriptBlockText|contains: Invoke-Mimikittenz
ScriptBlockText|contains: Invoke-NanoDump
ScriptBlockText|contains: Invoke-NetRipper
ScriptBlockText|contains: Invoke-Nightmare
ScriptBlockText|contains: Invoke-NinjaCopy
ScriptBlockText|contains: Invoke-OfficeScrape
ScriptBlockText|contains: Invoke-OxidResolver
ScriptBlockText|contains: Invoke-P0wnedshell
ScriptBlockText|contains: Invoke-PPLDump
ScriptBlockText|contains: Invoke-PSInject
ScriptBlockText|contains: Invoke-Paranoia
ScriptBlockText|contains: Invoke-PortScan
ScriptBlockText|contains: Invoke-PoshRatHttp
ScriptBlockText|contains: Invoke-PostExfil
ScriptBlockText|contains: Invoke-PowerDPAPI
ScriptBlockText|contains: Invoke-PowerDump
ScriptBlockText|contains: Invoke-PowerShellTCP
ScriptBlockText|contains: Invoke-PowerShellWMI
ScriptBlockText|contains: Invoke-PsExec
ScriptBlockText|contains: Invoke-PsUaCme
ScriptBlockText|contains: Invoke-ReflectivePEInjection
ScriptBlockText|contains: Invoke-ReverseDNSLookup
ScriptBlockText|contains: Invoke-Rubeus
ScriptBlockText|contains: Invoke-RunAs
ScriptBlockText|contains: Invoke-SCShell
ScriptBlockText|contains: Invoke-SMBScanner
ScriptBlockText|contains: Invoke-SSHCommand
ScriptBlockText|contains: Invoke-SafetyKatz
ScriptBlockText|contains: Invoke-SauronEye
ScriptBlockText|contains: Invoke-Seatbelt
ScriptBlockText|contains: Invoke-ServiceAbuse
ScriptBlockText|contains: Invoke-ShadowSpray
ScriptBlockText|contains: Invoke-Sharp
ScriptBlockText|contains: Invoke-Shellcode
ScriptBlockText|contains: Invoke-Snaffler
ScriptBlockText|contains: Invoke-Spoolsample
ScriptBlockText|contains: Invoke-SpraySinglePassword
ScriptBlockText|contains: Invoke-StandIn
ScriptBlockText|contains: Invoke-StickyNotesExtract
ScriptBlockText|contains: Invoke-SystemCommand
ScriptBlockText|contains: Invoke-Tasksbackdoor
ScriptBlockText|contains: Invoke-Tater
ScriptBlockText|contains: Invoke-ThunderStruck
ScriptBlockText|contains: Invoke-Thunderfox
ScriptBlockText|contains: Invoke-TokenManipulation
ScriptBlockText|contains: Invoke-Tokenvator
ScriptBlockText|contains: Invoke-TotalExec
ScriptBlockText|contains: Invoke-UrbanBishop
ScriptBlockText|contains: Invoke-UserHunter
ScriptBlockText|contains: Invoke-VoiceTroll
ScriptBlockText|contains: Invoke-WMIExec
ScriptBlockText|contains: Invoke-WScriptBypassUAC
ScriptBlockText|contains: Invoke-Whisker
ScriptBlockText|contains: Invoke-WinEnum
ScriptBlockText|contains: Invoke-WireTap
ScriptBlockText|contains: Invoke-WmiCommand
ScriptBlockText|contains: Invoke-Zerologon
ScriptBlockText|contains: Invoke-winPEAS
ScriptBlockText|contains: MailRaider
ScriptBlockText|contains: New-ADIDNSNode
ScriptBlockText|contains: New-HoneyHash
ScriptBlockText|contains: New-InMemoryModule
ScriptBlockText|contains: New-SOASerialNumberArray
ScriptBlockText|contains: Out-Minidump
ScriptBlockText|contains: PowerBreach
ScriptBlockText|contains: PowerUp
ScriptBlockText|contains: PowerView
ScriptBlockText|contains: Remove-ADIDNSNode
ScriptBlockText|contains: Remove-Update
ScriptBlockText|contains: Rename-ADIDNSNode
ScriptBlockText|contains: Revoke-ADIDNSPermission
ScriptBlockText|contains: Set-ADIDNSNode
ScriptBlockText|contains: Show-TargetScreen
ScriptBlockText|contains: Start-CaptureServer
ScriptBlockText|contains: Start-Dnscat2
ScriptBlockText|contains: Start-WebcamRecorder
ScriptBlockText|contains: VolumeShadowCopyTools
ScriptBlockText|contains: 'powercat '

Stage 2: `not 1 of filter_optional_amazon_ec2`

or:
ScriptBlockText|contains: 'C:\ProgramData\Amazon\EC2-Windows\Launch\Module\'
ScriptBlockText|contains: Get-SystemDriveInfo

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`ScriptBlockText`	match	`Add-Exfiltration` `Add-Persistence` `Add-RegBackdoor` `Add-RemoteRegBackdoor` `Add-ScrnSaveBackdoor` `C:\ProgramData\Amazon\EC2-Windows\Launch\Module\` `ConvertTo-Rc4ByteStream` `Decrypt-Hash` `Disable-ADIDNSNode` `Do-Exfiltration` `Enable-ADIDNSNode` `Enabled-DuplicateToken` `Exploit-Jboss` `Export-ADRCSV` `Export-ADRExcel` `Export-ADRHTML` `Export-ADRJSON` `Export-ADRXML` `Find-Fruit` `Find-GPOLocation` corpus 2 (sigma 2) `Find-TrustedDocuments` `Get-ADIDNSNodeAttribute` `Get-ADIDNSNodeOwner` `Get-ADIDNSNodeTombstoned` `Get-ADIDNSPermission` `Get-ADIDNSZone` `Get-ChromeDump` `Get-ClipboardContents` `Get-FoxDump` `Get-GPPPassword` `Get-IndexedItem` `Get-KerberosAESKey` `Get-Keystrokes` corpus 2 (sigma 2) `Get-LSASecret` `Get-PassHashes` `Get-RegAlwaysInstallElevated` `Get-RegAutoLogon` `Get-RemoteBootKey` `Get-RemoteCachedCredential` `Get-RemoteLSAKey` `Get-RemoteLocalAccountHash` `Get-RemoteMachineAccountHash` `Get-RemoteNLKMKey` `Get-RickAstley` `Get-SecurityPackages` `Get-ServiceFilePermission` `Get-ServicePermission` `Get-ServiceUnquoted` `Get-SiteListPassword` `Get-System` `Get-SystemDriveInfo` `Get-TimedScreenshot` `Get-USBKeystrokes` `Get-UnattendedInstallFile` `Get-Unconstrained` `Get-VaultCredential` `Get-VulnAutoRun` `Get-VulnSchTask` `Grant-ADIDNSPermission` `Gupt-Backdoor` `Invoke-ACLScanner` corpus 2 (sigma 2) `Invoke-ADRecon` `Invoke-ADSBackdoor` `Invoke-ARPScan` `Invoke-AgentSmith` `Invoke-AllChecks` `Invoke-AzureHound` `Invoke-BackdoorLNK` `Invoke-BadPotato` `Invoke-BetterSafetyKatz` `Invoke-BypassUAC` `Invoke-Carbuncle` `Invoke-Certify` `Invoke-ConPtyShell` `Invoke-CredentialInjection` `Invoke-DAFT` `Invoke-DCSync` `Invoke-DNSExfiltrator` corpus 2 (sigma 2) `Invoke-DNSUpdate` `Invoke-DinvokeKatz` `Invoke-DllInjection` `Invoke-DomainPasswordSpray` `Invoke-DowngradeAccount` `Invoke-EgressCheck` `Invoke-Eyewitness` `Invoke-FakeLogonScreen` `Invoke-Farmer` `Invoke-Get-RBCD-Threaded` `Invoke-Gopher` `Invoke-Grouper` `Invoke-HandleKatz` `Invoke-ImpersonateSystem` `Invoke-ImpersonatedProcess` `Invoke-InteractiveSystemPowerShell` `Invoke-Internalmonologue` `Invoke-Inveigh` `Invoke-InveighRelay` `Invoke-KrbRelay` `Invoke-LdapSignCheck` `Invoke-Lockless` `Invoke-MITM6` `Invoke-MalSCCM` `Invoke-Mimikatz` `Invoke-Mimikittenz` `Invoke-NanoDump` `Invoke-NetRipper` `Invoke-Nightmare` `Invoke-NinjaCopy` `Invoke-OfficeScrape` `Invoke-OxidResolver` `Invoke-P0wnedshell` `Invoke-PPLDump` `Invoke-PSInject` `Invoke-Paranoia` `Invoke-PortScan` `Invoke-PoshRatHttp` `Invoke-PostExfil` `Invoke-PowerDPAPI` `Invoke-PowerDump` `Invoke-PowerShellTCP` `Invoke-PowerShellWMI` `Invoke-PsExec` `Invoke-PsUaCme` `Invoke-ReflectivePEInjection` `Invoke-ReverseDNSLookup` `Invoke-Rubeus` `Invoke-RunAs` `Invoke-SCShell` `Invoke-SMBScanner` `Invoke-SSHCommand` `Invoke-SafetyKatz` `Invoke-SauronEye` `Invoke-Seatbelt` `Invoke-ServiceAbuse` `Invoke-ShadowSpray` `Invoke-Sharp` `Invoke-Shellcode` `Invoke-Snaffler` `Invoke-Spoolsample` `Invoke-SpraySinglePassword` `Invoke-StandIn` `Invoke-StickyNotesExtract` `Invoke-SystemCommand` `Invoke-Tasksbackdoor` `Invoke-Tater` `Invoke-ThunderStruck` `Invoke-Thunderfox` `Invoke-TokenManipulation` `Invoke-Tokenvator` `Invoke-TotalExec` `Invoke-UrbanBishop` `Invoke-UserHunter` corpus 2 (sigma 2) `Invoke-VoiceTroll` `Invoke-WMIExec` `Invoke-WScriptBypassUAC` `Invoke-Whisker` `Invoke-WinEnum` `Invoke-WireTap` `Invoke-WmiCommand` `Invoke-Zerologon` `Invoke-winPEAS` `MailRaider` `New-ADIDNSNode` `New-HoneyHash` `New-InMemoryModule` `New-SOASerialNumberArray` `Out-Minidump` `PowerBreach` `PowerUp` `PowerView` `Remove-ADIDNSNode` `Remove-Update` corpus 2 (sigma 2) `Rename-ADIDNSNode` `Revoke-ADIDNSPermission` `Set-ADIDNSNode` `Show-TargetScreen` `Start-CaptureServer` `Start-Dnscat2` `Start-WebcamRecorder` `VolumeShadowCopyTools` `powercat`

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.

Potential PowerShell Obfuscation via Invalid Escape Sequences [elastic] (cross-vendor) (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)
Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion [elastic] (cross-vendor) (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)
Potential PowerShell Obfuscation via Character Array Reconstruction [elastic] (cross-vendor) (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)
Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation [elastic] (cross-vendor) (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)
Potential PowerShell Obfuscation via High Numeric Character Proportion [elastic] (cross-vendor) (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)
Potential Dynamic IEX Reconstruction via Environment Variables [elastic] (cross-vendor) (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)
Dynamic IEX Reconstruction via Method String Access [elastic] (cross-vendor) (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)
PowerShell Obfuscation via Negative Index String Reversal [elastic] (cross-vendor) (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)
Potential PowerShell Obfuscation via Reverse Keywords [elastic] (cross-vendor) (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)
Potential PowerShell Obfuscation via String Concatenation [elastic] (cross-vendor) (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)
Potential PowerShell Obfuscation via String Reordering [elastic] (cross-vendor) (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)
Potential PowerShell Obfuscation via Special Character Overuse [elastic] (cross-vendor) (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)