← Back to Explore
sigmahighHunting
Malicious PowerShell Scripts - PoshModule
Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
Detection Query
selection_generic:
ContextInfo|contains:
- Add-ConstrainedDelegationBackdoor.ps1
- Add-Exfiltration.ps1
- Add-Persistence.ps1
- Add-RegBackdoor.ps1
- Add-RemoteRegBackdoor.ps1
- Add-ScrnSaveBackdoor.ps1
- BadSuccessor.ps1
- Check-VM.ps1
- ConvertTo-ROT13.ps1
- Copy-VSS.ps1
- Create-MultipleSessions.ps1
- DNS_TXT_Pwnage.ps1
- dnscat2.ps1
- Do-Exfiltration.ps1
- DomainPasswordSpray.ps1
- Download_Execute.ps1
- Download-Execute-PS.ps1
- Enabled-DuplicateToken.ps1
- Enable-DuplicateToken.ps1
- Execute-Command-MSSQL.ps1
- Execute-DNSTXT-Code.ps1
- Execute-OnTime.ps1
- ExetoText.ps1
- Exploit-Jboss.ps1
- Find-AVSignature.ps1
- Find-Fruit.ps1
- Find-GPOLocation.ps1
- Find-TrustedDocuments.ps1
- FireBuster.ps1
- FireListener.ps1
- Get-ApplicationHost.ps1
- Get-ChromeDump.ps1
- Get-ClipboardContents.ps1
- Get-ComputerDetail.ps1
- Get-FoxDump.ps1
- Get-GPPAutologon.ps1
- Get-GPPPassword.ps1
- Get-IndexedItem.ps1
- Get-Keystrokes.ps1
- Get-LSASecret.ps1
- Get-MicrophoneAudio.ps1
- Get-PassHashes.ps1
- Get-PassHints.ps1
- Get-RegAlwaysInstallElevated.ps1
- Get-RegAutoLogon.ps1
- Get-RickAstley.ps1
- Get-Screenshot.ps1
- Get-SecurityPackages.ps1
- Get-ServiceFilePermission.ps1
- Get-ServicePermission.ps1
- Get-ServiceUnquoted.ps1
- Get-SiteListPassword.ps1
- Get-System.ps1
- Get-TimedScreenshot.ps1
- Get-UnattendedInstallFile.ps1
- Get-Unconstrained.ps1
- Get-USBKeystrokes.ps1
- Get-VaultCredential.ps1
- Get-VulnAutoRun.ps1
- Get-VulnSchTask.ps1
- Get-WebConfig.ps1
- Get-WebCredentials.ps1
- Get-WLAN-Keys.ps1
- Gupt-Backdoor.ps1
- HTTP-Backdoor.ps1
- HTTP-Login.ps1
- Install-ServiceBinary.ps1
- Install-SSP.ps1
- Invoke-ACLScanner.ps1
- Invoke-ADSBackdoor.ps1
- Invoke-AmsiBypass.ps1
- Invoke-ARPScan.ps1
- Invoke-BackdoorLNK.ps1
- Invoke-BadPotato.ps1
- Invoke-BetterSafetyKatz.ps1
- Invoke-BruteForce.ps1
- Invoke-BypassUAC.ps1
- Invoke-Carbuncle.ps1
- Invoke-Certify.ps1
- Invoke-ConPtyShell.ps1
- Invoke-CredentialInjection.ps1
- Invoke-CredentialsPhish.ps1
- Invoke-DAFT.ps1
- Invoke-DCSync.ps1
- Invoke-Decode.ps1
- Invoke-DinvokeKatz.ps1
- Invoke-DllInjection.ps1
- Invoke-DNSExfiltrator.ps1
- Invoke-DowngradeAccount.ps1
- Invoke-EgressCheck.ps1
- Invoke-Encode.ps1
- Invoke-EventViewer.ps1
- Invoke-Eyewitness.ps1
- Invoke-FakeLogonScreen.ps1
- Invoke-Farmer.ps1
- Invoke-Get-RBCD-Threaded.ps1
- Invoke-Gopher.ps1
- Invoke-Grouper2.ps1
- Invoke-Grouper3.ps1
- Invoke-HandleKatz.ps1
- Invoke-Interceptor.ps1
- Invoke-Internalmonologue.ps1
- Invoke-Inveigh.ps1
- Invoke-InveighRelay.ps1
- Invoke-JSRatRegsvr.ps1
- Invoke-JSRatRundll.ps1
- Invoke-KrbRelay.ps1
- Invoke-KrbRelayUp.ps1
- Invoke-LdapSignCheck.ps1
- Invoke-Lockless.ps1
- Invoke-MalSCCM.ps1
- Invoke-Mimikatz.ps1
- Invoke-MimikatzWDigestDowngrade.ps1
- Invoke-Mimikittenz.ps1
- Invoke-MITM6.ps1
- Invoke-NanoDump.ps1
- Invoke-NetRipper.ps1
- Invoke-NetworkRelay.ps1
- Invoke-NinjaCopy.ps1
- Invoke-OxidResolver.ps1
- Invoke-P0wnedshell.ps1
- Invoke-P0wnedshellx86.ps1
- Invoke-Paranoia.ps1
- Invoke-PortScan.ps1
- Invoke-PoshRatHttp.ps1
- Invoke-PoshRatHttps.ps1
- Invoke-PostExfil.ps1
- Invoke-PowerDump.ps1
- Invoke-PowerDPAPI.ps1
- Invoke-PowerShellIcmp.ps1
- Invoke-PowerShellTCP.ps1
- Invoke-PowerShellTcpOneLine.ps1
- Invoke-PowerShellTcpOneLineBind.ps1
- Invoke-PowerShellUdp.ps1
- Invoke-PowerShellUdpOneLine.ps1
- Invoke-PowerShellWMI.ps1
- Invoke-PowerThIEf.ps1
- Invoke-PPLDump.ps1
- Invoke-Prasadhak.ps1
- Invoke-PsExec.ps1
- Invoke-PsGcat.ps1
- Invoke-PsGcatAgent.ps1
- Invoke-PSInject.ps1
- Invoke-PsUaCme.ps1
- Invoke-ReflectivePEInjection.ps1
- Invoke-ReverseDNSLookup.ps1
- Invoke-Rubeus.ps1
- Invoke-RunAs.ps1
- Invoke-SafetyKatz.ps1
- Invoke-SauronEye.ps1
- Invoke-SCShell.ps1
- Invoke-Seatbelt.ps1
- Invoke-ServiceAbuse.ps1
- Invoke-SessionGopher.ps1
- Invoke-ShellCode.ps1
- Invoke-SMBScanner.ps1
- Invoke-Snaffler.ps1
- Invoke-Spoolsample.ps1
- Invoke-SSHCommand.ps1
- Invoke-SSIDExfil.ps1
- Invoke-StandIn.ps1
- Invoke-StickyNotesExtract.ps1
- Invoke-Tater.ps1
- Invoke-Thunderfox.ps1
- Invoke-ThunderStruck.ps1
- Invoke-TokenManipulation.ps1
- Invoke-Tokenvator.ps1
- Invoke-TotalExec.ps1
- Invoke-UrbanBishop.ps1
- Invoke-UserHunter.ps1
- Invoke-VoiceTroll.ps1
- Invoke-Whisker.ps1
- Invoke-WinEnum.ps1
- Invoke-winPEAS.ps1
- Invoke-WireTap.ps1
- Invoke-WmiCommand.ps1
- Invoke-WScriptBypassUAC.ps1
- Invoke-Zerologon.ps1
- Keylogger.ps1
- MailRaider.ps1
- New-HoneyHash.ps1
- OfficeMemScraper.ps1
- Offline_Winpwn.ps1
- Out-CHM.ps1
- Out-DnsTxt.ps1
- Out-Excel.ps1
- Out-HTA.ps1
- Out-Java.ps1
- Out-JS.ps1
- Out-Minidump.ps1
- Out-RundllCommand.ps1
- Out-SCF.ps1
- Out-SCT.ps1
- Out-Shortcut.ps1
- Out-WebQuery.ps1
- Out-Word.ps1
- Parse_Keys.ps1
- Port-Scan.ps1
- PowerBreach.ps1
- powercat.ps1
- PowerRunAsSystem.psm1
- PowerSharpPack.ps1
- PowerUp.ps1
- PowerUpSQL.ps1
- PowerView.ps1
- PSAsyncShell.ps1
- RemoteHashRetrieval.ps1
- Remove-Persistence.ps1
- Remove-PoshRat.ps1
- Remove-Update.ps1
- Run-EXEonRemote.ps1
- Schtasks-Backdoor.ps1
- Set-DCShadowPermissions.ps1
- Set-MacAttribute.ps1
- Set-RemotePSRemoting.ps1
- Set-RemoteWMI.ps1
- Set-Wallpaper.ps1
- Show-TargetScreen.ps1
- Speak.ps1
- Start-CaptureServer.ps1
- Start-WebcamRecorder.ps1
- StringToBase64.ps1
- TexttoExe.ps1
- Veeam-Get-Creds.ps1
- VolumeShadowCopyTools.ps1
- WinPwn.ps1
- WSUSpendu.ps1
selection_invoke_sharp:
ContextInfo|contains|all:
- Invoke-Sharp
- .ps1
condition: 1 of selection_*
Author
frack113, Nasreddine Bencherchali (Nextron Systems)
Created
2023-01-23
Data Sources
windowsps_module
Platforms
windows
References
- https://github.com/PowerShellMafia/PowerSploit
- https://github.com/NetSPI/PowerUpSQL
- https://github.com/CsEnox/EventViewer-UACBypass
- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu
- https://github.com/nettitude/Invoke-PowerThIEf
- https://github.com/S3cur3Th1sSh1t/WinPwn
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
Tags
attack.executionattack.t1059.001
Raw Content
title: Malicious PowerShell Scripts - PoshModule
id: 41025fd7-0466-4650-a813-574aaacbe7f4
related:
- id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
type: similar
- id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
type: obsolete
status: test
description: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
references:
- https://github.com/PowerShellMafia/PowerSploit
- https://github.com/NetSPI/PowerUpSQL
- https://github.com/CsEnox/EventViewer-UACBypass
- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu
- https://github.com/nettitude/Invoke-PowerThIEf
- https://github.com/S3cur3Th1sSh1t/WinPwn
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-23
modified: 2025-12-10
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_generic:
ContextInfo|contains:
- 'Add-ConstrainedDelegationBackdoor.ps1'
- 'Add-Exfiltration.ps1'
- 'Add-Persistence.ps1'
- 'Add-RegBackdoor.ps1'
- 'Add-RemoteRegBackdoor.ps1'
- 'Add-ScrnSaveBackdoor.ps1'
- 'BadSuccessor.ps1'
- 'Check-VM.ps1'
- 'ConvertTo-ROT13.ps1'
- 'Copy-VSS.ps1'
- 'Create-MultipleSessions.ps1'
- 'DNS_TXT_Pwnage.ps1'
- 'dnscat2.ps1'
- 'Do-Exfiltration.ps1'
- 'DomainPasswordSpray.ps1'
- 'Download_Execute.ps1'
- 'Download-Execute-PS.ps1'
- 'Enabled-DuplicateToken.ps1'
- 'Enable-DuplicateToken.ps1'
- 'Execute-Command-MSSQL.ps1'
- 'Execute-DNSTXT-Code.ps1'
- 'Execute-OnTime.ps1'
- 'ExetoText.ps1'
- 'Exploit-Jboss.ps1'
- 'Find-AVSignature.ps1'
- 'Find-Fruit.ps1'
- 'Find-GPOLocation.ps1'
- 'Find-TrustedDocuments.ps1'
- 'FireBuster.ps1'
- 'FireListener.ps1'
- 'Get-ApplicationHost.ps1'
- 'Get-ChromeDump.ps1'
- 'Get-ClipboardContents.ps1'
- 'Get-ComputerDetail.ps1'
- 'Get-FoxDump.ps1'
- 'Get-GPPAutologon.ps1'
- 'Get-GPPPassword.ps1'
- 'Get-IndexedItem.ps1'
- 'Get-Keystrokes.ps1'
- 'Get-LSASecret.ps1'
- 'Get-MicrophoneAudio.ps1'
- 'Get-PassHashes.ps1'
- 'Get-PassHints.ps1'
- 'Get-RegAlwaysInstallElevated.ps1'
- 'Get-RegAutoLogon.ps1'
- 'Get-RickAstley.ps1'
- 'Get-Screenshot.ps1'
- 'Get-SecurityPackages.ps1'
- 'Get-ServiceFilePermission.ps1'
- 'Get-ServicePermission.ps1'
- 'Get-ServiceUnquoted.ps1'
- 'Get-SiteListPassword.ps1'
- 'Get-System.ps1'
- 'Get-TimedScreenshot.ps1'
- 'Get-UnattendedInstallFile.ps1'
- 'Get-Unconstrained.ps1'
- 'Get-USBKeystrokes.ps1'
- 'Get-VaultCredential.ps1'
- 'Get-VulnAutoRun.ps1'
- 'Get-VulnSchTask.ps1'
- 'Get-WebConfig.ps1'
- 'Get-WebCredentials.ps1'
- 'Get-WLAN-Keys.ps1'
- 'Gupt-Backdoor.ps1'
- 'HTTP-Backdoor.ps1'
- 'HTTP-Login.ps1'
- 'Install-ServiceBinary.ps1'
- 'Install-SSP.ps1'
- 'Invoke-ACLScanner.ps1'
- 'Invoke-ADSBackdoor.ps1'
- 'Invoke-AmsiBypass.ps1'
- 'Invoke-ARPScan.ps1'
- 'Invoke-BackdoorLNK.ps1'
- 'Invoke-BadPotato.ps1'
- 'Invoke-BetterSafetyKatz.ps1'
- 'Invoke-BruteForce.ps1'
- 'Invoke-BypassUAC.ps1'
- 'Invoke-Carbuncle.ps1'
- 'Invoke-Certify.ps1'
- 'Invoke-ConPtyShell.ps1'
- 'Invoke-CredentialInjection.ps1'
- 'Invoke-CredentialsPhish.ps1'
- 'Invoke-DAFT.ps1'
- 'Invoke-DCSync.ps1'
- 'Invoke-Decode.ps1'
- 'Invoke-DinvokeKatz.ps1'
- 'Invoke-DllInjection.ps1'
- 'Invoke-DNSExfiltrator.ps1'
- 'Invoke-DowngradeAccount.ps1'
- 'Invoke-EgressCheck.ps1'
- 'Invoke-Encode.ps1'
- 'Invoke-EventViewer.ps1'
- 'Invoke-Eyewitness.ps1'
- 'Invoke-FakeLogonScreen.ps1'
- 'Invoke-Farmer.ps1'
- 'Invoke-Get-RBCD-Threaded.ps1'
- 'Invoke-Gopher.ps1'
- 'Invoke-Grouper2.ps1'
- 'Invoke-Grouper3.ps1'
- 'Invoke-HandleKatz.ps1'
- 'Invoke-Interceptor.ps1'
- 'Invoke-Internalmonologue.ps1'
- 'Invoke-Inveigh.ps1'
- 'Invoke-InveighRelay.ps1'
- 'Invoke-JSRatRegsvr.ps1'
- 'Invoke-JSRatRundll.ps1'
- 'Invoke-KrbRelay.ps1'
- 'Invoke-KrbRelayUp.ps1'
- 'Invoke-LdapSignCheck.ps1'
- 'Invoke-Lockless.ps1'
- 'Invoke-MalSCCM.ps1'
- 'Invoke-Mimikatz.ps1'
- 'Invoke-MimikatzWDigestDowngrade.ps1'
- 'Invoke-Mimikittenz.ps1'
- 'Invoke-MITM6.ps1'
- 'Invoke-NanoDump.ps1'
- 'Invoke-NetRipper.ps1'
- 'Invoke-NetworkRelay.ps1'
- 'Invoke-NinjaCopy.ps1'
- 'Invoke-OxidResolver.ps1'
- 'Invoke-P0wnedshell.ps1'
- 'Invoke-P0wnedshellx86.ps1'
- 'Invoke-Paranoia.ps1'
- 'Invoke-PortScan.ps1'
- 'Invoke-PoshRatHttp.ps1'
- 'Invoke-PoshRatHttps.ps1'
- 'Invoke-PostExfil.ps1'
- 'Invoke-PowerDump.ps1'
- 'Invoke-PowerDPAPI.ps1'
- 'Invoke-PowerShellIcmp.ps1'
- 'Invoke-PowerShellTCP.ps1'
- 'Invoke-PowerShellTcpOneLine.ps1'
- 'Invoke-PowerShellTcpOneLineBind.ps1'
- 'Invoke-PowerShellUdp.ps1'
- 'Invoke-PowerShellUdpOneLine.ps1'
- 'Invoke-PowerShellWMI.ps1'
- 'Invoke-PowerThIEf.ps1'
- 'Invoke-PPLDump.ps1'
- 'Invoke-Prasadhak.ps1'
- 'Invoke-PsExec.ps1'
- 'Invoke-PsGcat.ps1'
- 'Invoke-PsGcatAgent.ps1'
- 'Invoke-PSInject.ps1'
- 'Invoke-PsUaCme.ps1'
- 'Invoke-ReflectivePEInjection.ps1'
- 'Invoke-ReverseDNSLookup.ps1'
- 'Invoke-Rubeus.ps1'
- 'Invoke-RunAs.ps1'
- 'Invoke-SafetyKatz.ps1'
- 'Invoke-SauronEye.ps1'
- 'Invoke-SCShell.ps1'
- 'Invoke-Seatbelt.ps1'
- 'Invoke-ServiceAbuse.ps1'
- 'Invoke-SessionGopher.ps1'
- 'Invoke-ShellCode.ps1'
- 'Invoke-SMBScanner.ps1'
- 'Invoke-Snaffler.ps1'
- 'Invoke-Spoolsample.ps1'
- 'Invoke-SSHCommand.ps1'
- 'Invoke-SSIDExfil.ps1'
- 'Invoke-StandIn.ps1'
- 'Invoke-StickyNotesExtract.ps1'
- 'Invoke-Tater.ps1'
- 'Invoke-Thunderfox.ps1'
- 'Invoke-ThunderStruck.ps1'
- 'Invoke-TokenManipulation.ps1'
- 'Invoke-Tokenvator.ps1'
- 'Invoke-TotalExec.ps1'
- 'Invoke-UrbanBishop.ps1'
- 'Invoke-UserHunter.ps1'
- 'Invoke-VoiceTroll.ps1'
- 'Invoke-Whisker.ps1'
- 'Invoke-WinEnum.ps1'
- 'Invoke-winPEAS.ps1'
- 'Invoke-WireTap.ps1'
- 'Invoke-WmiCommand.ps1'
- 'Invoke-WScriptBypassUAC.ps1'
- 'Invoke-Zerologon.ps1'
- 'Keylogger.ps1'
- 'MailRaider.ps1'
- 'New-HoneyHash.ps1'
- 'OfficeMemScraper.ps1'
- 'Offline_Winpwn.ps1'
- 'Out-CHM.ps1'
- 'Out-DnsTxt.ps1'
- 'Out-Excel.ps1'
- 'Out-HTA.ps1'
- 'Out-Java.ps1'
- 'Out-JS.ps1'
- 'Out-Minidump.ps1'
- 'Out-RundllCommand.ps1'
- 'Out-SCF.ps1'
- 'Out-SCT.ps1'
- 'Out-Shortcut.ps1'
- 'Out-WebQuery.ps1'
- 'Out-Word.ps1'
- 'Parse_Keys.ps1'
- 'Port-Scan.ps1'
- 'PowerBreach.ps1'
- 'powercat.ps1'
- 'PowerRunAsSystem.psm1'
- 'PowerSharpPack.ps1'
- 'PowerUp.ps1'
- 'PowerUpSQL.ps1'
- 'PowerView.ps1'
- 'PSAsyncShell.ps1'
- 'RemoteHashRetrieval.ps1'
- 'Remove-Persistence.ps1'
- 'Remove-PoshRat.ps1'
- 'Remove-Update.ps1'
- 'Run-EXEonRemote.ps1'
- 'Schtasks-Backdoor.ps1'
- 'Set-DCShadowPermissions.ps1'
- 'Set-MacAttribute.ps1'
- 'Set-RemotePSRemoting.ps1'
- 'Set-RemoteWMI.ps1'
- 'Set-Wallpaper.ps1'
- 'Show-TargetScreen.ps1'
- 'Speak.ps1'
- 'Start-CaptureServer.ps1'
- 'Start-WebcamRecorder.ps1'
- 'StringToBase64.ps1'
- 'TexttoExe.ps1'
- 'Veeam-Get-Creds.ps1'
- 'VolumeShadowCopyTools.ps1'
- 'WinPwn.ps1'
- 'WSUSpendu.ps1'
selection_invoke_sharp:
ContextInfo|contains|all:
- 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
- '.ps1'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high