title: Malicious PowerShell Commandlets
status: experimental
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
modified: 2019/01/22
references:
    - https://adsecurity.org/?p=2921
tags:
    - attack.execution
    - attack.t1086
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
    product: windows
    service: powershell
    definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
    keywords:
        - Invoke-DllInjection
        - Invoke-Shellcode
        - Invoke-WmiCommand
        - Get-GPPPassword
        - Get-Keystrokes
        - Get-TimedScreenshot
        - Get-VaultCredential
        - Invoke-CredentialInjection
        - Invoke-Mimikatz
        - Invoke-NinjaCopy
        - Invoke-TokenManipulation
        - Out-Minidump
        - VolumeShadowCopyTools
        - Invoke-ReflectivePEInjection
        - Invoke-UserHunter
        - Find-GPOLocation
        - Invoke-ACLScanner
        - Invoke-DowngradeAccount
        - Get-ServiceUnquoted
        - Get-ServiceFilePermission
        - Get-ServicePermission
        - Invoke-ServiceAbuse
        - Install-ServiceBinary
        - Get-RegAutoLogon
        - Get-VulnAutoRun
        - Get-VulnSchTask
        - Get-UnattendedInstallFile
        - Get-ApplicationHost
        - Get-RegAlwaysInstallElevated
        - Get-Unconstrained
        - Add-RegBackdoor
        - Add-ScrnSaveBackdoor
        - Gupt-Backdoor
        - Invoke-ADSBackdoor
        - Enabled-DuplicateToken
        - Invoke-PsUaCme
        - Remove-Update
        - Check-VM
        - Get-LSASecret
        - Get-PassHashes
        - Show-TargetScreen
        - Port-Scan
        - Invoke-PoshRatHttp
        - Invoke-PowerShellTCP
        - Invoke-PowerShellWMI
        - Add-Exfiltration
        - Add-Persistence
        - Do-Exfiltration
        - Start-CaptureServer
        - Get-ChromeDump
        - Get-ClipboardContents
        - Get-FoxDump
        - Get-IndexedItem
        - Get-Screenshot
        - Invoke-Inveigh
        - Invoke-NetRipper
        - Invoke-EgressCheck
        - Invoke-PostExfil
        - Invoke-PSInject
        - Invoke-RunAs
        - MailRaider
        - New-HoneyHash
        - Set-MacAttribute
        - Invoke-DCSync
        - Invoke-PowerDump
        - Exploit-Jboss
        - Invoke-ThunderStruck
        - Invoke-VoiceTroll
        - Set-Wallpaper
        - Invoke-InveighRelay
        - Invoke-PsExec
        - Invoke-SSHCommand
        - Get-SecurityPackages
        - Install-SSP
        - Invoke-BackdoorLNK
        - PowerBreach
        - Get-SiteListPassword
        - Get-System
        - Invoke-BypassUAC
        - Invoke-Tater
        - Invoke-WScriptBypassUAC
        - PowerUp
        - PowerView
        - Get-RickAstley
        - Find-Fruit
        - HTTP-Login
        - Find-TrustedDocuments
        - Invoke-Paranoia
        - Invoke-WinEnum
        - Invoke-ARPScan
        - Invoke-PortScan
        - Invoke-ReverseDNSLookup
        - Invoke-SMBScanner
        - Invoke-Mimikittenz
    false_positives:
        - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
    condition: keywords and not false_positives
falsepositives:
    - Penetration testing
level: high