EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Potential Suspicious PowerShell Keywords

Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework

MITRE ATT&CK

T1059.001
execution

Detection Query

selection:
  ScriptBlockText|contains:
    - System.Reflection.Assembly.Load($
    - "[System.Reflection.Assembly]::Load($"
    - "[Reflection.Assembly]::Load($"
    - System.Reflection.AssemblyName
    - Reflection.Emit.AssemblyBuilderAccess
    - Reflection.Emit.CustomAttributeBuilder
    - Runtime.InteropServices.UnmanagedType
    - Runtime.InteropServices.DllImportAttribute
    - SuspendThread
    - rundll32
condition: selection

Author

Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)

Created

2019-02-11

Data Sources

windowsps_script

Platforms

windows

References

Tags

attack.executionattack.t1059.001
Raw Content
title: Potential Suspicious PowerShell Keywords
id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
status: test
description: Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
references:
    - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
    - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1
    - https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1
    - https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
author: Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)
date: 2019-02-11
modified: 2023-04-21
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'System.Reflection.Assembly.Load($'
            - '[System.Reflection.Assembly]::Load($'
            - '[Reflection.Assembly]::Load($'
            - 'System.Reflection.AssemblyName'
            - 'Reflection.Emit.AssemblyBuilderAccess'
            - 'Reflection.Emit.CustomAttributeBuilder'
            - 'Runtime.InteropServices.UnmanagedType'
            - 'Runtime.InteropServices.DllImportAttribute'
            - 'SuspendThread'
            - 'rundll32'
            # - 'FromBase64'
            # - 'Invoke-WMIMethod' # Prone to FP
            # - 'http://127.0.0.1' # Prone to FP
    condition: selection
falsepositives:
    - Unknown
level: medium