detection.wiki

Detection rules › Sigma

Malicious PowerShell Commandlets - ProcessCreation

Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects Commandlet names from well-known PowerShell exploitation frameworks

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059.001 Command and Scripting Interpreter: PowerShell
DiscoveryT1069 Permission Groups Discovery, T1069.001 Permission Groups Discovery: Local Groups, T1069.002 Permission Groups Discovery: Domain Groups, T1087 Account Discovery, T1087.001 Account Discovery: Local Account, T1087.002 Account Discovery: Domain Account, T1482 Domain Trust Discovery

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: selection

or:
CommandLine|contains: Add-Exfiltration
CommandLine|contains: Add-Persistence
CommandLine|contains: Add-RegBackdoor
CommandLine|contains: Add-RemoteRegBackdoor
CommandLine|contains: Add-ScrnSaveBackdoor
CommandLine|contains: Check-VM
CommandLine|contains: ConvertTo-Rc4ByteStream
CommandLine|contains: Decrypt-Hash
CommandLine|contains: Disable-ADIDNSNode
CommandLine|contains: Disable-MachineAccount
CommandLine|contains: Do-Exfiltration
CommandLine|contains: Enable-ADIDNSNode
CommandLine|contains: Enable-MachineAccount
CommandLine|contains: Enabled-DuplicateToken
CommandLine|contains: Exploit-Jboss
CommandLine|contains: Export-ADR
CommandLine|contains: Export-ADRCSV
CommandLine|contains: Export-ADRExcel
CommandLine|contains: Export-ADRHTML
CommandLine|contains: Export-ADRJSON
CommandLine|contains: Export-ADRXML
CommandLine|contains: Find-Fruit
CommandLine|contains: Find-GPOLocation
CommandLine|contains: Find-TrustedDocuments
CommandLine|contains: Get-ADIDNS
CommandLine|contains: Get-ApplicationHost
CommandLine|contains: Get-ChromeDump
CommandLine|contains: Get-ClipboardContents
CommandLine|contains: Get-FoxDump
CommandLine|contains: Get-GPPPassword
CommandLine|contains: Get-IndexedItem
CommandLine|contains: Get-KerberosAESKey
CommandLine|contains: Get-Keystrokes
CommandLine|contains: Get-LSASecret
CommandLine|contains: Get-MachineAccountAttribute
CommandLine|contains: Get-MachineAccountCreator
CommandLine|contains: Get-PassHashes
CommandLine|contains: Get-RegAlwaysInstallElevated
CommandLine|contains: Get-RegAutoLogon
CommandLine|contains: Get-RemoteBootKey
CommandLine|contains: Get-RemoteCachedCredential
CommandLine|contains: Get-RemoteLSAKey
CommandLine|contains: Get-RemoteLocalAccountHash
CommandLine|contains: Get-RemoteMachineAccountHash
CommandLine|contains: Get-RemoteNLKMKey
CommandLine|contains: Get-RickAstley
CommandLine|contains: Get-Screenshot
CommandLine|contains: Get-SecurityPackages
CommandLine|contains: Get-ServiceFilePermission
CommandLine|contains: Get-ServicePermission
CommandLine|contains: Get-ServiceUnquoted
CommandLine|contains: Get-SiteListPassword
CommandLine|contains: Get-System
CommandLine|contains: Get-TimedScreenshot
CommandLine|contains: Get-USBKeystrokes
CommandLine|contains: Get-UnattendedInstallFile
CommandLine|contains: Get-Unconstrained
CommandLine|contains: Get-VaultCredential
CommandLine|contains: Get-VulnAutoRun
CommandLine|contains: Get-VulnSchTask
CommandLine|contains: Grant-ADIDNSPermission
CommandLine|contains: Gupt-Backdoor
CommandLine|contains: HTTP-Login
CommandLine|contains: Install-SSP
CommandLine|contains: Install-ServiceBinary
CommandLine|contains: Invoke-ACLScanner
CommandLine|contains: Invoke-ADRecon
CommandLine|contains: Invoke-ADSBackdoor
CommandLine|contains: Invoke-ARPScan
CommandLine|contains: Invoke-AgentSmith
CommandLine|contains: Invoke-AllChecks
CommandLine|contains: Invoke-AzureHound
CommandLine|contains: Invoke-BackdoorLNK
CommandLine|contains: Invoke-BadPotato
CommandLine|contains: Invoke-BetterSafetyKatz
CommandLine|contains: Invoke-BypassUAC
CommandLine|contains: Invoke-Carbuncle
CommandLine|contains: Invoke-Certify
CommandLine|contains: Invoke-ConPtyShell
CommandLine|contains: Invoke-CredentialInjection
CommandLine|contains: Invoke-DAFT
CommandLine|contains: Invoke-DCSync
CommandLine|contains: Invoke-DNSExfiltrator
CommandLine|contains: Invoke-DNSUpdate
CommandLine|contains: Invoke-DinvokeKatz
CommandLine|contains: Invoke-DllInjection
CommandLine|contains: Invoke-DomainPasswordSpray
CommandLine|contains: Invoke-DowngradeAccount
CommandLine|contains: Invoke-EgressCheck
CommandLine|contains: Invoke-Eyewitness
CommandLine|contains: Invoke-FakeLogonScreen
CommandLine|contains: Invoke-Farmer
CommandLine|contains: Invoke-Get-RBCD-Threaded
CommandLine|contains: Invoke-Gopher
CommandLine|contains: Invoke-Grouper
CommandLine|contains: Invoke-HandleKatz
CommandLine|contains: Invoke-ImpersonateSystem
CommandLine|contains: Invoke-ImpersonatedProcess
CommandLine|contains: 'Invoke-InteractiveSystemPowerShell'
CommandLine|contains: Invoke-Internalmonologue
CommandLine|contains: Invoke-Inveigh
CommandLine|contains: Invoke-InveighRelay
CommandLine|contains: Invoke-KrbRelay
CommandLine|contains: Invoke-LdapSignCheck
CommandLine|contains: Invoke-Lockless
CommandLine|contains: Invoke-MITM6
CommandLine|contains: Invoke-MalSCCM
CommandLine|contains: Invoke-Mimikatz
CommandLine|contains: Invoke-Mimikittenz
CommandLine|contains: Invoke-NanoDump
CommandLine|contains: Invoke-NetRipper
CommandLine|contains: Invoke-Nightmare
CommandLine|contains: Invoke-NinjaCopy
CommandLine|contains: Invoke-OfficeScrape
CommandLine|contains: Invoke-OxidResolver
CommandLine|contains: Invoke-P0wnedshell
CommandLine|contains: Invoke-PPLDump
CommandLine|contains: Invoke-PSInject
CommandLine|contains: Invoke-Paranoia
CommandLine|contains: Invoke-PortScan
CommandLine|contains: Invoke-PoshRatHttp
CommandLine|contains: Invoke-PostExfil
CommandLine|contains: Invoke-PowerDPAPI
CommandLine|contains: Invoke-PowerDump
CommandLine|contains: Invoke-PowerShellTCP
CommandLine|contains: Invoke-PowerShellWMI
CommandLine|contains: Invoke-PsExec
CommandLine|contains: Invoke-PsUaCme
CommandLine|contains: Invoke-ReflectivePEInjection
CommandLine|contains: Invoke-ReverseDNSLookup
CommandLine|contains: Invoke-Rubeus
CommandLine|contains: Invoke-RunAs
CommandLine|contains: Invoke-SCShell
CommandLine|contains: Invoke-SMBScanner
CommandLine|contains: Invoke-SSHCommand
CommandLine|contains: Invoke-SafetyKatz
CommandLine|contains: Invoke-SauronEye
CommandLine|contains: Invoke-Seatbelt
CommandLine|contains: Invoke-ServiceAbuse
CommandLine|contains: Invoke-ShadowSpray
CommandLine|contains: Invoke-Sharp
CommandLine|contains: Invoke-Shellcode
CommandLine|contains: Invoke-Snaffler
CommandLine|contains: Invoke-Spoolsample
CommandLine|contains: Invoke-SpraySinglePassword
CommandLine|contains: Invoke-StandIn
CommandLine|contains: Invoke-StickyNotesExtract
CommandLine|contains: Invoke-SystemCommand
CommandLine|contains: Invoke-Tasksbackdoor
CommandLine|contains: Invoke-Tater
CommandLine|contains: Invoke-ThunderStruck
CommandLine|contains: Invoke-Thunderfox
CommandLine|contains: Invoke-TokenManipulation
CommandLine|contains: Invoke-Tokenvator
CommandLine|contains: Invoke-TotalExec
CommandLine|contains: Invoke-UrbanBishop
CommandLine|contains: Invoke-UserHunter
CommandLine|contains: Invoke-VoiceTroll
CommandLine|contains: Invoke-WMIExec
CommandLine|contains: Invoke-WScriptBypassUAC
CommandLine|contains: Invoke-Whisker
CommandLine|contains: Invoke-WinEnum
CommandLine|contains: Invoke-WireTap
CommandLine|contains: Invoke-WmiCommand
CommandLine|contains: Invoke-Zerologon
CommandLine|contains: Invoke-winPEAS
CommandLine|contains: MailRaider
CommandLine|contains: New-ADIDNSNode
CommandLine|contains: New-DNSRecordArray
CommandLine|contains: New-HoneyHash
CommandLine|contains: New-InMemoryModule
CommandLine|contains: New-MachineAccount
CommandLine|contains: New-SOASerialNumberArray
CommandLine|contains: Out-Minidump
CommandLine|contains: Port-Scan
CommandLine|contains: PowerBreach
CommandLine|contains: PowerUp
CommandLine|contains: PowerView
CommandLine|contains: Remove-ADIDNSNode
CommandLine|contains: Remove-MachineAccount
CommandLine|contains: Remove-Update
CommandLine|contains: Rename-ADIDNSNode
CommandLine|contains: Revoke-ADIDNSPermission
CommandLine|contains: Set-ADIDNSNode
CommandLine|contains: Set-MacAttribute
CommandLine|contains: Set-MachineAccountAttribute
CommandLine|contains: Set-Wallpaper
CommandLine|contains: Show-TargetScreen
CommandLine|contains: Start-CaptureServer
CommandLine|contains: Start-Dnscat2
CommandLine|contains: Start-WebcamRecorder
CommandLine|contains: Veeam-Get-Creds
CommandLine|contains: VolumeShadowCopyTools
CommandLine|contains: 'powercat '

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • Add-Exfiltration
  • Add-Persistence
  • Add-RegBackdoor
  • Add-RemoteRegBackdoor
  • Add-ScrnSaveBackdoor
  • Check-VM
  • ConvertTo-Rc4ByteStream
  • Decrypt-Hash
  • Disable-ADIDNSNode
  • Disable-MachineAccount
  • Do-Exfiltration
  • Enable-ADIDNSNode
  • Enable-MachineAccount
  • Enabled-DuplicateToken
  • Exploit-Jboss
  • Export-ADR
  • Export-ADRCSV
  • Export-ADRExcel
  • Export-ADRHTML
  • Export-ADRJSON
  • Export-ADRXML
  • Find-Fruit
  • Find-GPOLocation corpus 2 (sigma 2)
  • Find-TrustedDocuments
  • Get-ADIDNS
  • Get-ApplicationHost
  • Get-ChromeDump
  • Get-ClipboardContents
  • Get-FoxDump
  • Get-GPPPassword
  • Get-IndexedItem
  • Get-KerberosAESKey
  • Get-Keystrokes
  • Get-LSASecret
  • Get-MachineAccountAttribute
  • Get-MachineAccountCreator
  • Get-PassHashes
  • Get-RegAlwaysInstallElevated
  • Get-RegAutoLogon
  • Get-RemoteBootKey
  • Get-RemoteCachedCredential
  • Get-RemoteLSAKey
  • Get-RemoteLocalAccountHash
  • Get-RemoteMachineAccountHash
  • Get-RemoteNLKMKey
  • Get-RickAstley
  • Get-Screenshot
  • Get-SecurityPackages
  • Get-ServiceFilePermission
  • Get-ServicePermission
  • Get-ServiceUnquoted
  • Get-SiteListPassword
  • Get-System
  • Get-TimedScreenshot
  • Get-USBKeystrokes
  • Get-UnattendedInstallFile
  • Get-Unconstrained
  • Get-VaultCredential
  • Get-VulnAutoRun
  • Get-VulnSchTask
  • Grant-ADIDNSPermission
  • Gupt-Backdoor
  • HTTP-Login
  • Install-SSP
  • Install-ServiceBinary
  • Invoke-ACLScanner corpus 2 (sigma 2)
  • Invoke-ADRecon
  • Invoke-ADSBackdoor
  • Invoke-ARPScan
  • Invoke-AgentSmith
  • Invoke-AllChecks
  • Invoke-AzureHound
  • Invoke-BackdoorLNK
  • Invoke-BadPotato
  • Invoke-BetterSafetyKatz
  • Invoke-BypassUAC
  • Invoke-Carbuncle
  • Invoke-Certify
  • Invoke-ConPtyShell
  • Invoke-CredentialInjection
  • Invoke-DAFT
  • Invoke-DCSync
  • Invoke-DNSExfiltrator
  • Invoke-DNSUpdate
  • Invoke-DinvokeKatz
  • Invoke-DllInjection
  • Invoke-DomainPasswordSpray
  • Invoke-DowngradeAccount
  • Invoke-EgressCheck
  • Invoke-Eyewitness
  • Invoke-FakeLogonScreen
  • Invoke-Farmer
  • Invoke-Get-RBCD-Threaded
  • Invoke-Gopher
  • Invoke-Grouper
  • Invoke-HandleKatz
  • Invoke-ImpersonateSystem
  • Invoke-ImpersonatedProcess
  • Invoke-InteractiveSystemPowerShell
  • Invoke-Internalmonologue
  • Invoke-Inveigh
  • Invoke-InveighRelay
  • Invoke-KrbRelay
  • Invoke-LdapSignCheck
  • Invoke-Lockless
  • Invoke-MITM6
  • Invoke-MalSCCM
  • Invoke-Mimikatz
  • Invoke-Mimikittenz
  • Invoke-NanoDump
  • Invoke-NetRipper
  • Invoke-Nightmare corpus 2 (sigma 2)
  • Invoke-NinjaCopy
  • Invoke-OfficeScrape
  • Invoke-OxidResolver
  • Invoke-P0wnedshell
  • Invoke-PPLDump
  • Invoke-PSInject
  • Invoke-Paranoia
  • Invoke-PortScan
  • Invoke-PoshRatHttp
  • Invoke-PostExfil
  • Invoke-PowerDPAPI
  • Invoke-PowerDump
  • Invoke-PowerShellTCP
  • Invoke-PowerShellWMI
  • Invoke-PsExec
  • Invoke-PsUaCme
  • Invoke-ReflectivePEInjection
  • Invoke-ReverseDNSLookup
  • Invoke-Rubeus
  • Invoke-RunAs
  • Invoke-SCShell
  • Invoke-SMBScanner
  • Invoke-SSHCommand
  • Invoke-SafetyKatz
  • Invoke-SauronEye
  • Invoke-Seatbelt
  • Invoke-ServiceAbuse
  • Invoke-ShadowSpray
  • Invoke-Sharp
  • Invoke-Shellcode
  • Invoke-Snaffler
  • Invoke-Spoolsample
  • Invoke-SpraySinglePassword
  • Invoke-StandIn
  • Invoke-StickyNotesExtract
  • Invoke-SystemCommand
  • Invoke-Tasksbackdoor
  • Invoke-Tater corpus 2 (sigma 2)
  • Invoke-ThunderStruck
  • Invoke-Thunderfox
  • Invoke-TokenManipulation
  • Invoke-Tokenvator
  • Invoke-TotalExec
  • Invoke-UrbanBishop
  • Invoke-UserHunter corpus 2 (sigma 2)
  • Invoke-VoiceTroll
  • Invoke-WMIExec
  • Invoke-WScriptBypassUAC
  • Invoke-Whisker
  • Invoke-WinEnum
  • Invoke-WireTap
  • Invoke-WmiCommand
  • Invoke-Zerologon
  • Invoke-winPEAS
  • MailRaider
  • New-ADIDNSNode
  • New-DNSRecordArray
  • New-HoneyHash
  • New-InMemoryModule
  • New-MachineAccount
  • New-SOASerialNumberArray
  • Out-Minidump
  • Port-Scan
  • PowerBreach
  • PowerUp
  • PowerView
  • Remove-ADIDNSNode
  • Remove-MachineAccount
  • Remove-Update
  • Rename-ADIDNSNode
  • Revoke-ADIDNSPermission
  • Set-ADIDNSNode
  • Set-MacAttribute
  • Set-MachineAccountAttribute
  • Set-Wallpaper
  • Show-TargetScreen
  • Start-CaptureServer
  • Start-Dnscat2
  • Start-WebcamRecorder
  • Veeam-Get-Creds
  • VolumeShadowCopyTools
  • powercat