SigmaHQ/rules/windows/powershell/powershell_malicious_commandlets.yml

title: Malicious PowerShell Commandlets
status: experimental
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
    - https://adsecurity.org/?p=2921
tags:
    - attack.execution
    - attack.t1086
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
    product: windows
    service: powershell
    description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
    keywords:
        - Invoke-DllInjection
        - Invoke-Shellcode
        - Invoke-WmiCommand
        - Get-GPPPassword
        - Get-Keystrokes
        - Get-TimedScreenshot
        - Get-VaultCredential
        - Invoke-CredentialInjection
        - Invoke-Mimikatz
        - Invoke-NinjaCopy
        - Invoke-TokenManipulation
        - Out-Minidump
        - VolumeShadowCopyTools
        - Invoke-ReflectivePEInjection
        - Invoke-UserHunter
        - Find-GPOLocation
        - Invoke-ACLScanner
        - Invoke-DowngradeAccount
        - Get-ServiceUnquoted
        - Get-ServiceFilePermission
        - Get-ServicePermission
        - Invoke-ServiceAbuse
        - Install-ServiceBinary
        - Get-RegAutoLogon
        - Get-VulnAutoRun
        - Get-VulnSchTask
        - Get-UnattendedInstallFile
        - Get-WebConfig
        - Get-ApplicationHost
        - Get-RegAlwaysInstallElevated
        - Get-Unconstrained
        - Add-RegBackdoor
        - Add-ScrnSaveBackdoor
        - Gupt-Backdoor
        - Invoke-ADSBackdoor
        - Enabled-DuplicateToken
        - Invoke-PsUaCme
        - Remove-Update
        - Check-VM
        - Get-LSASecret
        - Get-PassHashes
        - Invoke-Mimikatz
        - Show-TargetScreen
        - Port-Scan
        - Invoke-PoshRatHttp
        - Invoke-PowerShellTCP
        - Invoke-PowerShellWMI
        - Add-Exfiltration
        - Add-Persistence
        - Do-Exfiltration
        - Start-CaptureServer
        - Invoke-DllInjection
        - Invoke-ReflectivePEInjection
        - Invoke-ShellCode
        - Get-ChromeDump
        - Get-ClipboardContents
        - Get-FoxDump
        - Get-IndexedItem
        - Get-Keystrokes
        - Get-Screenshot
        - Invoke-Inveigh
        - Invoke-NetRipper
        - Invoke-NinjaCopy
        - Out-Minidump
        - Invoke-EgressCheck
        - Invoke-PostExfil
        - Invoke-PSInject
        - Invoke-RunAs
        - MailRaider
        - New-HoneyHash
        - Set-MacAttribute
        - Get-VaultCredential
        - Invoke-DCSync
        - Invoke-Mimikatz
        - Invoke-PowerDump
        - Invoke-TokenManipulation
        - Exploit-Jboss
        - Invoke-ThunderStruck
        - Invoke-VoiceTroll
        - Set-Wallpaper
        - Invoke-InveighRelay
        - Invoke-PsExec
        - Invoke-SSHCommand
        - Get-SecurityPackages
        - Install-SSP
        - Invoke-BackdoorLNK
        - PowerBreach
        - Get-GPPPassword
        - Get-SiteListPassword
        - Get-System
        - Invoke-BypassUAC
        - Invoke-Tater
        - Invoke-WScriptBypassUAC
        - PowerUp
        - PowerView
        - Get-RickAstley
        - Find-Fruit
        - HTTP-Login
        - Find-TrustedDocuments
        - Invoke-Paranoia
        - Invoke-WinEnum
        - Invoke-ARPScan
        - Invoke-PortScan
        - Invoke-ReverseDNSLookup
        - Invoke-SMBScanner
        - Invoke-Mimikittenz
    condition: keywords
falsepositives:
    - Penetration testing
level: high