EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Malicious ShellIntel PowerShell Commandlets

Detects Commandlet names from ShellIntel exploitation scripts.

MITRE ATT&CK

T1059.001
execution

Detection Query

selection:
  ScriptBlockText|contains:
    - Invoke-SMBAutoBrute
    - Invoke-GPOLinks
    - Invoke-Potato
condition: selection

Author

Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)

Created

2021-08-09

Data Sources

windowsps_script

Platforms

windows

References

Tags

attack.executionattack.t1059.001
Raw Content
title: Malicious ShellIntel PowerShell Commandlets
id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
status: test
description: Detects Commandlet names from ShellIntel exploitation scripts.
references:
    - https://github.com/Shellntel/scripts/
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
modified: 2023-01-02
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Invoke-SMBAutoBrute'
            - 'Invoke-GPOLinks'
            # - 'Out-Minidump' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'Invoke-Potato'
    condition: selection
falsepositives:
    - Unknown
level: high