← Back to Explore
sigmahighHunting
Malicious PowerShell Commandlets - ScriptBlock
Detects Commandlet names from well-known PowerShell exploitation frameworks
Detection Query
selection:
ScriptBlockText|contains:
- Add-Exfiltration
- Add-Persistence
- Add-RegBackdoor
- Add-RemoteRegBackdoor
- Add-ScrnSaveBackdoor
- ConvertTo-Rc4ByteStream
- Decrypt-Hash
- Disable-ADIDNSNode
- Do-Exfiltration
- Enable-ADIDNSNode
- Enabled-DuplicateToken
- Exploit-Jboss
- Export-ADRCSV
- Export-ADRExcel
- Export-ADRHTML
- Export-ADRJSON
- Export-ADRXML
- Find-Fruit
- Find-GPOLocation
- Find-TrustedDocuments
- Get-ADIDNSNodeAttribute
- Get-ADIDNSNodeOwner
- Get-ADIDNSNodeTombstoned
- Get-ADIDNSPermission
- Get-ADIDNSZone
- Get-ChromeDump
- Get-ClipboardContents
- Get-FoxDump
- Get-GPPPassword
- Get-IndexedItem
- Get-KerberosAESKey
- Get-Keystrokes
- Get-LSASecret
- Get-PassHashes
- Get-RegAlwaysInstallElevated
- Get-RegAutoLogon
- Get-RemoteBootKey
- Get-RemoteCachedCredential
- Get-RemoteLocalAccountHash
- Get-RemoteLSAKey
- Get-RemoteMachineAccountHash
- Get-RemoteNLKMKey
- Get-RickAstley
- Get-SecurityPackages
- Get-ServiceFilePermission
- Get-ServicePermission
- Get-ServiceUnquoted
- Get-SiteListPassword
- Get-System
- Get-TimedScreenshot
- Get-UnattendedInstallFile
- Get-Unconstrained
- Get-USBKeystrokes
- Get-VaultCredential
- Get-VulnAutoRun
- Get-VulnSchTask
- Grant-ADIDNSPermission
- Gupt-Backdoor
- Invoke-ACLScanner
- Invoke-ADRecon
- Invoke-ADSBackdoor
- Invoke-AgentSmith
- Invoke-AllChecks
- Invoke-ARPScan
- Invoke-AzureHound
- Invoke-BackdoorLNK
- Invoke-BadPotato
- Invoke-BetterSafetyKatz
- Invoke-BypassUAC
- Invoke-Carbuncle
- Invoke-Certify
- Invoke-ConPtyShell
- Invoke-CredentialInjection
- Invoke-DAFT
- Invoke-DCSync
- Invoke-DinvokeKatz
- Invoke-DllInjection
- Invoke-DNSUpdate
- Invoke-DNSExfiltrator
- Invoke-DomainPasswordSpray
- Invoke-DowngradeAccount
- Invoke-EgressCheck
- Invoke-Eyewitness
- Invoke-FakeLogonScreen
- Invoke-Farmer
- Invoke-Get-RBCD-Threaded
- Invoke-Gopher
- Invoke-Grouper
- Invoke-HandleKatz
- Invoke-ImpersonatedProcess
- Invoke-ImpersonateSystem
- Invoke-InteractiveSystemPowerShell
- Invoke-Internalmonologue
- Invoke-Inveigh
- Invoke-InveighRelay
- Invoke-KrbRelay
- Invoke-LdapSignCheck
- Invoke-Lockless
- Invoke-MalSCCM
- Invoke-Mimikatz
- Invoke-Mimikittenz
- Invoke-MITM6
- Invoke-NanoDump
- Invoke-NetRipper
- Invoke-Nightmare
- Invoke-NinjaCopy
- Invoke-OfficeScrape
- Invoke-OxidResolver
- Invoke-P0wnedshell
- Invoke-Paranoia
- Invoke-PortScan
- Invoke-PoshRatHttp
- Invoke-PostExfil
- Invoke-PowerDump
- Invoke-PowerDPAPI
- Invoke-PowerShellTCP
- Invoke-PowerShellWMI
- Invoke-PPLDump
- Invoke-PsExec
- Invoke-PSInject
- Invoke-PsUaCme
- Invoke-ReflectivePEInjection
- Invoke-ReverseDNSLookup
- Invoke-Rubeus
- Invoke-RunAs
- Invoke-SafetyKatz
- Invoke-SauronEye
- Invoke-SCShell
- Invoke-Seatbelt
- Invoke-ServiceAbuse
- Invoke-ShadowSpray
- Invoke-Sharp
- Invoke-Shellcode
- Invoke-SMBScanner
- Invoke-Snaffler
- Invoke-Spoolsample
- Invoke-SpraySinglePassword
- Invoke-SSHCommand
- Invoke-StandIn
- Invoke-StickyNotesExtract
- Invoke-SystemCommand
- Invoke-Tasksbackdoor
- Invoke-Tater
- Invoke-Thunderfox
- Invoke-ThunderStruck
- Invoke-TokenManipulation
- Invoke-Tokenvator
- Invoke-TotalExec
- Invoke-UrbanBishop
- Invoke-UserHunter
- Invoke-VoiceTroll
- Invoke-Whisker
- Invoke-WinEnum
- Invoke-winPEAS
- Invoke-WireTap
- Invoke-WmiCommand
- Invoke-WMIExec
- Invoke-WScriptBypassUAC
- Invoke-Zerologon
- MailRaider
- New-ADIDNSNode
- New-HoneyHash
- New-InMemoryModule
- New-SOASerialNumberArray
- Out-Minidump
- PowerBreach
- "powercat "
- PowerUp
- PowerView
- Remove-ADIDNSNode
- Remove-Update
- Rename-ADIDNSNode
- Revoke-ADIDNSPermission
- Set-ADIDNSNode
- Show-TargetScreen
- Start-CaptureServer
- Start-Dnscat2
- Start-WebcamRecorder
- VolumeShadowCopyTools
filter_optional_amazon_ec2:
ScriptBlockText|contains:
- Get-SystemDriveInfo
- C:\ProgramData\Amazon\EC2-Windows\Launch\Module\
condition: selection and not 1 of filter_optional_*
Author
Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
Created
2017-03-05
Data Sources
windowsps_script
Platforms
windows
References
- https://adsecurity.org/?p=2921
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/
- https://github.com/calebstewart/CVE-2021-1675
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
Tags
attack.executionattack.discoveryattack.t1482attack.t1087attack.t1087.001attack.t1087.002attack.t1069.001attack.t1069.002attack.t1069attack.t1059.001
Raw Content
title: Malicious PowerShell Commandlets - ScriptBlock
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
related:
- id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
type: similar
- id: 02030f2f-6199-49ec-b258-ea71b07e03dc
type: similar
- id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
type: obsolete
- id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
type: obsolete
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
date: 2017-03-05
modified: 2025-12-10
tags:
- attack.execution
- attack.discovery
- attack.t1482
- attack.t1087
- attack.t1087.001
- attack.t1087.002
- attack.t1069.001
- attack.t1069.002
- attack.t1069
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
# Note: Please ensure alphabetical order when adding new entries
- 'Add-Exfiltration'
- 'Add-Persistence'
- 'Add-RegBackdoor'
- 'Add-RemoteRegBackdoor'
- 'Add-ScrnSaveBackdoor'
- 'ConvertTo-Rc4ByteStream'
- 'Decrypt-Hash'
- 'Disable-ADIDNSNode'
- 'Do-Exfiltration'
- 'Enable-ADIDNSNode'
- 'Enabled-DuplicateToken'
- 'Exploit-Jboss'
- 'Export-ADRCSV'
- 'Export-ADRExcel'
- 'Export-ADRHTML'
- 'Export-ADRJSON'
- 'Export-ADRXML'
- 'Find-Fruit'
- 'Find-GPOLocation'
- 'Find-TrustedDocuments'
- 'Get-ADIDNSNodeAttribute'
- 'Get-ADIDNSNodeOwner'
- 'Get-ADIDNSNodeTombstoned'
- 'Get-ADIDNSPermission'
- 'Get-ADIDNSZone'
- 'Get-ChromeDump'
- 'Get-ClipboardContents'
- 'Get-FoxDump'
- 'Get-GPPPassword'
- 'Get-IndexedItem'
- 'Get-KerberosAESKey'
- 'Get-Keystrokes'
- 'Get-LSASecret'
- 'Get-PassHashes'
- 'Get-RegAlwaysInstallElevated'
- 'Get-RegAutoLogon'
- 'Get-RemoteBootKey'
- 'Get-RemoteCachedCredential'
- 'Get-RemoteLocalAccountHash'
- 'Get-RemoteLSAKey'
- 'Get-RemoteMachineAccountHash'
- 'Get-RemoteNLKMKey'
- 'Get-RickAstley'
- 'Get-SecurityPackages'
- 'Get-ServiceFilePermission'
- 'Get-ServicePermission'
- 'Get-ServiceUnquoted'
- 'Get-SiteListPassword'
- 'Get-System'
- 'Get-TimedScreenshot'
- 'Get-UnattendedInstallFile'
- 'Get-Unconstrained'
- 'Get-USBKeystrokes'
- 'Get-VaultCredential'
- 'Get-VulnAutoRun'
- 'Get-VulnSchTask'
- 'Grant-ADIDNSPermission'
- 'Gupt-Backdoor'
- 'Invoke-ACLScanner'
- 'Invoke-ADRecon'
- 'Invoke-ADSBackdoor'
- 'Invoke-AgentSmith'
- 'Invoke-AllChecks'
- 'Invoke-ARPScan'
- 'Invoke-AzureHound'
- 'Invoke-BackdoorLNK'
- 'Invoke-BadPotato'
- 'Invoke-BetterSafetyKatz'
- 'Invoke-BypassUAC'
- 'Invoke-Carbuncle'
- 'Invoke-Certify'
- 'Invoke-ConPtyShell'
- 'Invoke-CredentialInjection'
- 'Invoke-DAFT'
- 'Invoke-DCSync'
- 'Invoke-DinvokeKatz'
- 'Invoke-DllInjection'
- 'Invoke-DNSUpdate'
- 'Invoke-DNSExfiltrator'
- 'Invoke-DomainPasswordSpray'
- 'Invoke-DowngradeAccount'
- 'Invoke-EgressCheck'
- 'Invoke-Eyewitness'
- 'Invoke-FakeLogonScreen'
- 'Invoke-Farmer'
- 'Invoke-Get-RBCD-Threaded'
- 'Invoke-Gopher'
- 'Invoke-Grouper' # Also Covers Invoke-GrouperX
- 'Invoke-HandleKatz'
- 'Invoke-ImpersonatedProcess'
- 'Invoke-ImpersonateSystem'
- 'Invoke-InteractiveSystemPowerShell'
- 'Invoke-Internalmonologue'
- 'Invoke-Inveigh'
- 'Invoke-InveighRelay'
- 'Invoke-KrbRelay'
- 'Invoke-LdapSignCheck'
- 'Invoke-Lockless'
- 'Invoke-MalSCCM'
- 'Invoke-Mimikatz'
- 'Invoke-Mimikittenz'
- 'Invoke-MITM6'
- 'Invoke-NanoDump'
- 'Invoke-NetRipper'
- 'Invoke-Nightmare'
- 'Invoke-NinjaCopy'
- 'Invoke-OfficeScrape'
- 'Invoke-OxidResolver'
- 'Invoke-P0wnedshell'
- 'Invoke-Paranoia'
- 'Invoke-PortScan'
- 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
- 'Invoke-PostExfil'
- 'Invoke-PowerDump'
- 'Invoke-PowerDPAPI'
- 'Invoke-PowerShellTCP'
- 'Invoke-PowerShellWMI'
- 'Invoke-PPLDump'
- 'Invoke-PsExec'
- 'Invoke-PSInject'
- 'Invoke-PsUaCme'
- 'Invoke-ReflectivePEInjection'
- 'Invoke-ReverseDNSLookup'
- 'Invoke-Rubeus'
- 'Invoke-RunAs'
- 'Invoke-SafetyKatz'
- 'Invoke-SauronEye'
- 'Invoke-SCShell'
- 'Invoke-Seatbelt'
- 'Invoke-ServiceAbuse'
- 'Invoke-ShadowSpray'
- 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
- 'Invoke-Shellcode'
- 'Invoke-SMBScanner'
- 'Invoke-Snaffler'
- 'Invoke-Spoolsample'
- 'Invoke-SpraySinglePassword'
- 'Invoke-SSHCommand'
- 'Invoke-StandIn'
- 'Invoke-StickyNotesExtract'
- 'Invoke-SystemCommand'
- 'Invoke-Tasksbackdoor'
- 'Invoke-Tater'
- 'Invoke-Thunderfox'
- 'Invoke-ThunderStruck'
- 'Invoke-TokenManipulation'
- 'Invoke-Tokenvator'
- 'Invoke-TotalExec'
- 'Invoke-UrbanBishop'
- 'Invoke-UserHunter'
- 'Invoke-VoiceTroll'
- 'Invoke-Whisker'
- 'Invoke-WinEnum'
- 'Invoke-winPEAS'
- 'Invoke-WireTap'
- 'Invoke-WmiCommand'
- 'Invoke-WMIExec'
- 'Invoke-WScriptBypassUAC'
- 'Invoke-Zerologon'
- 'MailRaider'
- 'New-ADIDNSNode'
- 'New-HoneyHash'
- 'New-InMemoryModule'
- 'New-SOASerialNumberArray'
- 'Out-Minidump'
- 'PowerBreach'
- 'powercat '
- 'PowerUp'
- 'PowerView'
- 'Remove-ADIDNSNode'
- 'Remove-Update'
- 'Rename-ADIDNSNode'
- 'Revoke-ADIDNSPermission'
- 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
- 'Show-TargetScreen'
- 'Start-CaptureServer'
- 'Start-Dnscat2'
- 'Start-WebcamRecorder'
- 'VolumeShadowCopyTools'
# - 'Check-VM'
# - 'Disable-MachineAccount'
# - 'Enable-MachineAccount'
# - 'Get-ApplicationHost'
# - 'Get-MachineAccountAttribute'
# - 'Get-MachineAccountCreator'
# - 'Get-Screenshot'
# - 'HTTP-Login'
# - 'Install-ServiceBinary'
# - 'Install-SSP'
# - 'New-DNSRecordArray'
# - 'New-MachineAccount'
# - 'Port-Scan'
# - 'Remove-MachineAccount'
# - 'Set-MacAttribute'
# - 'Set-MachineAccountAttribute'
# - 'Set-Wallpaper'
filter_optional_amazon_ec2:
ScriptBlockText|contains:
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
- C:\ProgramData\Amazon\EC2-Windows\Launch\Module\ # false positive form Amazon EC2
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high