SigmaHQ/rules/windows/powershell/powershell_malicious_commandlets.yml

title: Malicious PowerShell Commandlets
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
status: experimental
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
    - https://adsecurity.org/?p=2921
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1086  #an old one
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
logsource:
    product: windows
    service: powershell
    definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
    keywords:
        Message:
            - "*Invoke-DllInjection*"
            - "*Invoke-Shellcode*"
            - "*Invoke-WmiCommand*"
            - "*Get-GPPPassword*"
            - "*Get-Keystrokes*"
            - "*Get-TimedScreenshot*"
            - "*Get-VaultCredential*"
            - "*Invoke-CredentialInjection*"
            - "*Invoke-Mimikatz*"
            - "*Invoke-NinjaCopy*"
            - "*Invoke-TokenManipulation*"
            - "*Out-Minidump*"
            - "*VolumeShadowCopyTools*"
            - "*Invoke-ReflectivePEInjection*"
            - "*Invoke-UserHunter*"
            - "*Find-GPOLocation*"
            - "*Invoke-ACLScanner*"
            - "*Invoke-DowngradeAccount*"
            - "*Get-ServiceUnquoted*"
            - "*Get-ServiceFilePermission*"
            - "*Get-ServicePermission*"
            - "*Invoke-ServiceAbuse*"
            - "*Install-ServiceBinary*"
            - "*Get-RegAutoLogon*"
            - "*Get-VulnAutoRun*"
            - "*Get-VulnSchTask*"
            - "*Get-UnattendedInstallFile*"
            - "*Get-ApplicationHost*"
            - "*Get-RegAlwaysInstallElevated*"
            - "*Get-Unconstrained*"
            - "*Add-RegBackdoor*"
            - "*Add-ScrnSaveBackdoor*"
            - "*Gupt-Backdoor*"
            - "*Invoke-ADSBackdoor*"
            - "*Enabled-DuplicateToken*"
            - "*Invoke-PsUaCme*"
            - "*Remove-Update*"
            - "*Check-VM*"
            - "*Get-LSASecret*"
            - "*Get-PassHashes*"
            - "*Show-TargetScreen*"
            - "*Port-Scan*"
            - "*Invoke-PoshRatHttp*"
            - "*Invoke-PowerShellTCP*"
            - "*Invoke-PowerShellWMI*"
            - "*Add-Exfiltration*"
            - "*Add-Persistence*"
            - "*Do-Exfiltration*"
            - "*Start-CaptureServer*"
            - "*Get-ChromeDump*"
            - "*Get-ClipboardContents*"
            - "*Get-FoxDump*"
            - "*Get-IndexedItem*"
            - "*Get-Screenshot*"
            - "*Invoke-Inveigh*"
            - "*Invoke-NetRipper*"
            - "*Invoke-EgressCheck*"
            - "*Invoke-PostExfil*"
            - "*Invoke-PSInject*"
            - "*Invoke-RunAs*"
            - "*MailRaider*"
            - "*New-HoneyHash*"
            - "*Set-MacAttribute*"
            - "*Invoke-DCSync*"
            - "*Invoke-PowerDump*"
            - "*Exploit-Jboss*"
            - "*Invoke-ThunderStruck*"
            - "*Invoke-VoiceTroll*"
            - "*Set-Wallpaper*"
            - "*Invoke-InveighRelay*"
            - "*Invoke-PsExec*"
            - "*Invoke-SSHCommand*"
            - "*Get-SecurityPackages*"
            - "*Install-SSP*"
            - "*Invoke-BackdoorLNK*"
            - "*PowerBreach*"
            - "*Get-SiteListPassword*"
            - "*Get-System*"
            - "*Invoke-BypassUAC*"
            - "*Invoke-Tater*"
            - "*Invoke-WScriptBypassUAC*"
            - "*PowerUp*"
            - "*PowerView*"
            - "*Get-RickAstley*"
            - "*Find-Fruit*"
            - "*HTTP-Login*"
            - "*Find-TrustedDocuments*"
            - "*Invoke-Paranoia*"
            - "*Invoke-WinEnum*"
            - "*Invoke-ARPScan*"
            - "*Invoke-PortScan*"
            - "*Invoke-ReverseDNSLookup*"
            - "*Invoke-SMBScanner*"
            - "*Invoke-Mimikittenz*"
            - "*Invoke-AllChecks*"
    false_positives:
        - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
    condition: keywords and not false_positives
falsepositives:
    - Penetration testing
level: high
First PowerShell Ruleset 2017-03-05 00:47:25 +00:00			`title: Malicious PowerShell Commandlets`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6`
First PowerShell Ruleset 2017-03-05 00:47:25 +00:00			`status: experimental`
			`description: Detects Commandlet names from well-known PowerShell exploitation frameworks`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- https://adsecurity.org/?p=2921`
Tagged windows powershell, other and malware rules. 2018-07-24 08:56:41 +00:00			`tags:`
			`- attack.execution`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1059.001`
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00			`- attack.t1086 #an old one`
First PowerShell Ruleset 2017-03-05 00:47:25 +00:00			`author: Sean Metcalf (source), Florian Roth (rule)`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`date: 2017/03/05`
First PowerShell Ruleset 2017-03-05 00:47:25 +00:00			`logsource:`
Bugfix: PowerShell rules log source inconstency 2017-03-21 09:22:13 +00:00			`product: windows`
			`service: powershell`
fixed typos 2019-06-29 12:35:59 +00:00			`definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'`
First PowerShell Ruleset 2017-03-05 00:47:25 +00:00			`detection:`
			`keywords:`
fix: bound keywords to field in multiple PS rules Rules changed: - rules/windows/powershell/powershell_malicious_commandlets.yml - rules/windows/powershell/powershell_malicious_keywords.yml - rules/windows/powershell/powershell_suspicious_download.yml - rules/windows/powershell/powershell_suspicious_invocation_specific.yml 2019-10-29 18:53:18 +00:00			`Message:`
			`- "Invoke-DllInjection"`
			`- "Invoke-Shellcode"`
			`- "Invoke-WmiCommand"`
			`- "Get-GPPPassword"`
			`- "Get-Keystrokes"`
			`- "Get-TimedScreenshot"`
			`- "Get-VaultCredential"`
			`- "Invoke-CredentialInjection"`
			`- "Invoke-Mimikatz"`
			`- "Invoke-NinjaCopy"`
			`- "Invoke-TokenManipulation"`
			`- "Out-Minidump"`
			`- "VolumeShadowCopyTools"`
			`- "Invoke-ReflectivePEInjection"`
			`- "Invoke-UserHunter"`
			`- "Find-GPOLocation"`
			`- "Invoke-ACLScanner"`
			`- "Invoke-DowngradeAccount"`
			`- "Get-ServiceUnquoted"`
			`- "Get-ServiceFilePermission"`
			`- "Get-ServicePermission"`
			`- "Invoke-ServiceAbuse"`
			`- "Install-ServiceBinary"`
			`- "Get-RegAutoLogon"`
			`- "Get-VulnAutoRun"`
			`- "Get-VulnSchTask"`
			`- "Get-UnattendedInstallFile"`
			`- "Get-ApplicationHost"`
			`- "Get-RegAlwaysInstallElevated"`
			`- "Get-Unconstrained"`
			`- "Add-RegBackdoor"`
			`- "Add-ScrnSaveBackdoor"`
			`- "Gupt-Backdoor"`
			`- "Invoke-ADSBackdoor"`
			`- "Enabled-DuplicateToken"`
			`- "Invoke-PsUaCme"`
			`- "Remove-Update"`
			`- "Check-VM"`
			`- "Get-LSASecret"`
			`- "Get-PassHashes"`
			`- "Show-TargetScreen"`
			`- "Port-Scan"`
			`- "Invoke-PoshRatHttp"`
			`- "Invoke-PowerShellTCP"`
			`- "Invoke-PowerShellWMI"`
			`- "Add-Exfiltration"`
			`- "Add-Persistence"`
			`- "Do-Exfiltration"`
			`- "Start-CaptureServer"`
			`- "Get-ChromeDump"`
			`- "Get-ClipboardContents"`
			`- "Get-FoxDump"`
			`- "Get-IndexedItem"`
			`- "Get-Screenshot"`
			`- "Invoke-Inveigh"`
			`- "Invoke-NetRipper"`
			`- "Invoke-EgressCheck"`
			`- "Invoke-PostExfil"`
			`- "Invoke-PSInject"`
			`- "Invoke-RunAs"`
			`- "MailRaider"`
			`- "New-HoneyHash"`
			`- "Set-MacAttribute"`
			`- "Invoke-DCSync"`
			`- "Invoke-PowerDump"`
			`- "Exploit-Jboss"`
			`- "Invoke-ThunderStruck"`
			`- "Invoke-VoiceTroll"`
			`- "Set-Wallpaper"`
			`- "Invoke-InveighRelay"`
			`- "Invoke-PsExec"`
			`- "Invoke-SSHCommand"`
			`- "Get-SecurityPackages"`
			`- "Install-SSP"`
			`- "Invoke-BackdoorLNK"`
			`- "PowerBreach"`
			`- "Get-SiteListPassword"`
			`- "Get-System"`
			`- "Invoke-BypassUAC"`
			`- "Invoke-Tater"`
			`- "Invoke-WScriptBypassUAC"`
			`- "PowerUp"`
			`- "PowerView"`
			`- "Get-RickAstley"`
			`- "Find-Fruit"`
			`- "HTTP-Login"`
			`- "Find-TrustedDocuments"`
			`- "Invoke-Paranoia"`
			`- "Invoke-WinEnum"`
			`- "Invoke-ARPScan"`
			`- "Invoke-PortScan"`
			`- "Invoke-ReverseDNSLookup"`
			`- "Invoke-SMBScanner"`
			`- "Invoke-Mimikittenz"`
Add the ability to detect PowerUp - Invoke-AllChecks PowerUp allow attackers to check if is possible to have a local privilege escalation attacks against Windows systems. The main function is called "Invoke-AllChecks" and check possible path of escalation. 2019-12-23 10:50:57 +00:00			`- "Invoke-AllChecks"`
powershell false positives 2019-09-06 07:54:19 +00:00			`false_positives:`
			`- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1`
			`condition: keywords and not false_positives`
First PowerShell Ruleset 2017-03-05 00:47:25 +00:00			`falsepositives:`
			`- Penetration testing`
			`level: high`