title: Malicious PowerShell Commandlet Names status: experimental description: Detects the creation of known powershell scripts for exploitation references: - https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml tags: - attack.execution - attack.t1086 author: Markus Neis date: 2018/04/07 logsource: product: windows service: sysmon detection: selection: EventID: 11 TargetFilename: - '*\Invoke-DllInjection.ps1' - '*\Invoke-WmiCommand.ps1' - '*\Get-GPPPassword.ps1' - '*\Get-Keystrokes.ps1' - '*\Get-VaultCredential.ps1' - '*\Invoke-CredentialInjection.ps1' - '*\Invoke-Mimikatz.ps1' - '*\Invoke-NinjaCopy.ps1' - '*\Invoke-TokenManipulation.ps1' - '*\Out-Minidump.ps1' - '*\VolumeShadowCopyTools.ps1' - '*\Invoke-ReflectivePEInjection.ps1' - '*\Get-TimedScreenshot.ps1' - '*\Invoke-UserHunter.ps1' - '*\Find-GPOLocation.ps1' - '*\Invoke-ACLScanner.ps1' - '*\Invoke-DowngradeAccount.ps1' - '*\Get-ServiceUnquoted.ps1' - '*\Get-ServiceFilePermission.ps1' - '*\Get-ServicePermission.ps1' - '*\Invoke-ServiceAbuse.ps1' - '*\Install-ServiceBinary.ps1' - '*\Get-RegAutoLogon.ps1' - '*\Get-VulnAutoRun.ps1' - '*\Get-VulnSchTask.ps1' - '*\Get-UnattendedInstallFile.ps1' - '*\Get-WebConfig.ps1' - '*\Get-ApplicationHost.ps1' - '*\Get-RegAlwaysInstallElevated.ps1' - '*\Get-Unconstrained.ps1' - '*\Add-RegBackdoor.ps1' - '*\Add-ScrnSaveBackdoor.ps1' - '*\Gupt-Backdoor.ps1' - '*\Invoke-ADSBackdoor.ps1' - '*\Enabled-DuplicateToken.ps1' - '*\Invoke-PsUaCme.ps1' - '*\Remove-Update.ps1' - '*\Check-VM.ps1' - '*\Get-LSASecret.ps1' - '*\Get-PassHashes.ps1' - '*\Show-TargetScreen.ps1' - '*\Port-Scan.ps1' - '*\Invoke-PoshRatHttp.ps1' - '*\Invoke-PowerShellTCP.ps1' - '*\Invoke-PowerShellWMI.ps1' - '*\Add-Exfiltration.ps1' - '*\Add-Persistence.ps1' - '*\Do-Exfiltration.ps1' - '*\Start-CaptureServer.ps1' - '*\Invoke-ShellCode.ps1' - '*\Get-ChromeDump.ps1' - '*\Get-ClipboardContents.ps1' - '*\Get-FoxDump.ps1' - '*\Get-IndexedItem.ps1' - '*\Get-Screenshot.ps1' - '*\Invoke-Inveigh.ps1' - '*\Invoke-NetRipper.ps1' - '*\Invoke-EgressCheck.ps1' - '*\Invoke-PostExfil.ps1' - '*\Invoke-PSInject.ps1' - '*\Invoke-RunAs.ps1' - '*\MailRaider.ps1' - '*\New-HoneyHash.ps1' - '*\Set-MacAttribute.ps1' - '*\Invoke-DCSync.ps1' - '*\Invoke-PowerDump.ps1' - '*\Exploit-Jboss.ps1' - '*\Invoke-ThunderStruck.ps1' - '*\Invoke-VoiceTroll.ps1' - '*\Set-Wallpaper.ps1' - '*\Invoke-InveighRelay.ps1' - '*\Invoke-PsExec.ps1' - '*\Invoke-SSHCommand.ps1' - '*\Get-SecurityPackages.ps1' - '*\Install-SSP.ps1' - '*\Invoke-BackdoorLNK.ps1' - '*\PowerBreach.ps1' - '*\Get-SiteListPassword.ps1' - '*\Get-System.ps1' - '*\Invoke-BypassUAC.ps1' - '*\Invoke-Tater.ps1' - '*\Invoke-WScriptBypassUAC.ps1' - '*\PowerUp.ps1' - '*\PowerView.ps1' - '*\Get-RickAstley.ps1' - '*\Find-Fruit.ps1' - '*\HTTP-Login.ps1' - '*\Find-TrustedDocuments.ps1' - '*\Invoke-Paranoia.ps1' - '*\Invoke-WinEnum.ps1' - '*\Invoke-ARPScan.ps1' - '*\Invoke-PortScan.ps1' - '*\Invoke-ReverseDNSLookup.ps1' - '*\Invoke-SMBScanner.ps1' - '*\Invoke-Mimikittenz.ps1' condition: selection falsepositives: - Penetration Tests level: high