← Back to Explore
sigmahighHunting
Malicious PowerShell Scripts - FileCreation
Detects the creation of known offensive powershell scripts used for exploitation
Detection Query
selection_generic:
TargetFilename|endswith:
- \Add-ConstrainedDelegationBackdoor.ps1
- \Add-Exfiltration.ps1
- \Add-Persistence.ps1
- \Add-RegBackdoor.ps1
- \Add-RemoteRegBackdoor.ps1
- \Add-ScrnSaveBackdoor.ps1
- \ADRecon.ps1
- \AzureADRecon.ps1
- \BadSuccessor.ps1
- \Check-VM.ps1
- \ConvertTo-ROT13.ps1
- \Copy-VSS.ps1
- \Create-MultipleSessions.ps1
- \DNS_TXT_Pwnage.ps1
- \dnscat2.ps1
- \Do-Exfiltration.ps1
- \DomainPasswordSpray.ps1
- \Download_Execute.ps1
- \Download-Execute-PS.ps1
- \Enable-DuplicateToken.ps1
- \Enabled-DuplicateToken.ps1
- \Execute-Command-MSSQL.ps1
- \Execute-DNSTXT-Code.ps1
- \Execute-OnTime.ps1
- \ExetoText.ps1
- \Exploit-Jboss.ps1
- \Find-AVSignature.ps1
- \Find-Fruit.ps1
- \Find-GPOLocation.ps1
- \Find-TrustedDocuments.ps1
- \FireBuster.ps1
- \FireListener.ps1
- \Get-ApplicationHost.ps1
- \Get-ChromeDump.ps1
- \Get-ClipboardContents.ps1
- \Get-ComputerDetail.ps1
- \Get-FoxDump.ps1
- \Get-GPPAutologon.ps1
- \Get-GPPPassword.ps1
- \Get-IndexedItem.ps1
- \Get-Keystrokes.ps1
- \Get-LSASecret.ps1
- \Get-MicrophoneAudio.ps1
- \Get-PassHashes.ps1
- \Get-PassHints.ps1
- \Get-RegAlwaysInstallElevated.ps1
- \Get-RegAutoLogon.ps1
- \Get-RickAstley.ps1
- \Get-Screenshot.ps1
- \Get-SecurityPackages.ps1
- \Get-ServiceFilePermission.ps1
- \Get-ServicePermission.ps1
- \Get-ServiceUnquoted.ps1
- \Get-SiteListPassword.ps1
- \Get-System.ps1
- \Get-TimedScreenshot.ps1
- \Get-UnattendedInstallFile.ps1
- \Get-Unconstrained.ps1
- \Get-USBKeystrokes.ps1
- \Get-VaultCredential.ps1
- \Get-VulnAutoRun.ps1
- \Get-VulnSchTask.ps1
- \Get-WebConfig.ps1
- \Get-WebCredentials.ps1
- \Get-WLAN-Keys.ps1
- \Gupt-Backdoor.ps1
- \HTTP-Backdoor.ps1
- \HTTP-Login.ps1
- \Install-ServiceBinary.ps1
- \Install-SSP.ps1
- \Invoke-ACLScanner.ps1
- \Invoke-ADSBackdoor.ps1
- \Invoke-AmsiBypass.ps1
- \Invoke-ARPScan.ps1
- \Invoke-BackdoorLNK.ps1
- \Invoke-BadPotato.ps1
- \Invoke-BetterSafetyKatz.ps1
- \Invoke-BruteForce.ps1
- \Invoke-BypassUAC.ps1
- \Invoke-Carbuncle.ps1
- \Invoke-Certify.ps1
- \Invoke-ConPtyShell.ps1
- \Invoke-CredentialInjection.ps1
- \Invoke-CredentialsPhish.ps1
- \Invoke-DAFT.ps1
- \Invoke-DCSync.ps1
- \Invoke-Decode.ps1
- \Invoke-DinvokeKatz.ps1
- \Invoke-DllInjection.ps1
- \Invoke-DNSExfiltrator.ps1
- \Invoke-DNSUpdate.ps1
- \Invoke-DowngradeAccount.ps1
- \Invoke-EgressCheck.ps1
- \Invoke-Encode.ps1
- \Invoke-EventViewer.ps1
- \Invoke-Eyewitness.ps1
- \Invoke-FakeLogonScreen.ps1
- \Invoke-Farmer.ps1
- \Invoke-Get-RBCD-Threaded.ps1
- \Invoke-Gopher.ps1
- \Invoke-Grouper2.ps1
- \Invoke-Grouper3.ps1
- \Invoke-HandleKatz.ps1
- \Invoke-Interceptor.ps1
- \Invoke-Internalmonologue.ps1
- \Invoke-Inveigh.ps1
- \Invoke-InveighRelay.ps1
- \Invoke-JSRatRegsvr.ps1
- \Invoke-JSRatRundll.ps1
- \Invoke-KrbRelay.ps1
- \Invoke-KrbRelayUp.ps1
- \Invoke-LdapSignCheck.ps1
- \Invoke-Lockless.ps1
- \Invoke-MalSCCM.ps1
- \Invoke-Mimikatz.ps1
- \Invoke-MimikatzWDigestDowngrade.ps1
- \Invoke-Mimikittenz.ps1
- \Invoke-MITM6.ps1
- \Invoke-NanoDump.ps1
- \Invoke-NetRipper.ps1
- \Invoke-NetworkRelay.ps1
- \Invoke-NinjaCopy.ps1
- \Invoke-OxidResolver.ps1
- \Invoke-P0wnedshell.ps1
- \Invoke-P0wnedshellx86.ps1
- \Invoke-Paranoia.ps1
- \Invoke-PortScan.ps1
- \Invoke-PoshRatHttp.ps1
- \Invoke-PoshRatHttps.ps1
- \Invoke-PostExfil.ps1
- \Invoke-PowerDump.ps1
- \Invoke-PowerDPAPI.ps1
- \Invoke-PowerShellIcmp.ps1
- \Invoke-PowerShellTCP.ps1
- \Invoke-PowerShellTcpOneLine.ps1
- \Invoke-PowerShellTcpOneLineBind.ps1
- \Invoke-PowerShellUdp.ps1
- \Invoke-PowerShellUdpOneLine.ps1
- \Invoke-PowerShellWMI.ps1
- \Invoke-PowerThIEf.ps1
- \Invoke-PPLDump.ps1
- \Invoke-Prasadhak.ps1
- \Invoke-PsExec.ps1
- \Invoke-PsGcat.ps1
- \Invoke-PsGcatAgent.ps1
- \Invoke-PSInject.ps1
- \Invoke-PsUaCme.ps1
- \Invoke-ReflectivePEInjection.ps1
- \Invoke-ReverseDNSLookup.ps1
- \Invoke-Rubeus.ps1
- \Invoke-RunAs.ps1
- \Invoke-SafetyKatz.ps1
- \Invoke-SauronEye.ps1
- \Invoke-SCShell.ps1
- \Invoke-Seatbelt.ps1
- \Invoke-ServiceAbuse.ps1
- \Invoke-SessionGopher.ps1
- \Invoke-ShellCode.ps1
- \Invoke-SMBScanner.ps1
- \Invoke-Snaffler.ps1
- \Invoke-Spoolsample.ps1
- \Invoke-SSHCommand.ps1
- \Invoke-SSIDExfil.ps1
- \Invoke-StandIn.ps1
- \Invoke-StickyNotesExtract.ps1
- \Invoke-Tater.ps1
- \Invoke-Thunderfox.ps1
- \Invoke-ThunderStruck.ps1
- \Invoke-TokenManipulation.ps1
- \Invoke-Tokenvator.ps1
- \Invoke-TotalExec.ps1
- \Invoke-UrbanBishop.ps1
- \Invoke-UserHunter.ps1
- \Invoke-VoiceTroll.ps1
- \Invoke-Whisker.ps1
- \Invoke-WinEnum.ps1
- \Invoke-winPEAS.ps1
- \Invoke-WireTap.ps1
- \Invoke-WmiCommand.ps1
- \Invoke-WScriptBypassUAC.ps1
- \Invoke-Zerologon.ps1
- \Keylogger.ps1
- \MailRaider.ps1
- \New-HoneyHash.ps1
- \OfficeMemScraper.ps1
- \Offline_Winpwn.ps1
- \Out-CHM.ps1
- \Out-DnsTxt.ps1
- \Out-Excel.ps1
- \Out-HTA.ps1
- \Out-Java.ps1
- \Out-JS.ps1
- \Out-Minidump.ps1
- \Out-RundllCommand.ps1
- \Out-SCF.ps1
- \Out-SCT.ps1
- \Out-Shortcut.ps1
- \Out-WebQuery.ps1
- \Out-Word.ps1
- \Parse_Keys.ps1
- \Port-Scan.ps1
- \PowerBreach.ps1
- \powercat.ps1
- \Powermad.ps1
- \PowerRunAsSystem.psm1
- \PowerSharpPack.ps1
- \PowerUp.ps1
- \PowerUpSQL.ps1
- \PowerView.ps1
- \PSAsyncShell.ps1
- \RemoteHashRetrieval.ps1
- \Remove-Persistence.ps1
- \Remove-PoshRat.ps1
- \Remove-Update.ps1
- \Run-EXEonRemote.ps1
- \Schtasks-Backdoor.ps1
- \Set-DCShadowPermissions.ps1
- \Set-MacAttribute.ps1
- \Set-RemotePSRemoting.ps1
- \Set-RemoteWMI.ps1
- \Set-Wallpaper.ps1
- \Show-TargetScreen.ps1
- \Speak.ps1
- \Start-CaptureServer.ps1
- \Start-WebcamRecorder.ps1
- \StringToBase64.ps1
- \TexttoExe.ps1
- \Veeam-Get-Creds.ps1
- \VolumeShadowCopyTools.ps1
- \WinPwn.ps1
- \WSUSpendu.ps1
selection_invoke_sharp:
TargetFilename|contains: Invoke-Sharp
TargetFilename|endswith: .ps1
condition: 1 of selection_*
Author
Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein
Created
2018-04-07
Data Sources
windowsFile Events
Platforms
windows
References
- https://github.com/PowerShellMafia/PowerSploit
- https://github.com/NetSPI/PowerUpSQL
- https://github.com/CsEnox/EventViewer-UACBypass
- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu
- https://github.com/nettitude/Invoke-PowerThIEf
- https://github.com/S3cur3Th1sSh1t/WinPwn
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
Tags
attack.executionattack.t1059.001
Raw Content
title: Malicious PowerShell Scripts - FileCreation
id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
related:
- id: 41025fd7-0466-4650-a813-574aaacbe7f4
type: similar
status: test
description: Detects the creation of known offensive powershell scripts used for exploitation
references:
- https://github.com/PowerShellMafia/PowerSploit
- https://github.com/NetSPI/PowerUpSQL
- https://github.com/CsEnox/EventViewer-UACBypass
- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu
- https://github.com/nettitude/Invoke-PowerThIEf
- https://github.com/S3cur3Th1sSh1t/WinPwn
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein
date: 2018-04-07
modified: 2025-12-10
tags:
- attack.execution
- attack.t1059.001
logsource:
category: file_event
product: windows
detection:
selection_generic:
TargetFilename|endswith:
# Note: Please ensure alphabetical order when adding new entries
- '\Add-ConstrainedDelegationBackdoor.ps1'
- '\Add-Exfiltration.ps1'
- '\Add-Persistence.ps1'
- '\Add-RegBackdoor.ps1'
- '\Add-RemoteRegBackdoor.ps1'
- '\Add-ScrnSaveBackdoor.ps1'
- '\ADRecon.ps1'
- '\AzureADRecon.ps1'
- '\BadSuccessor.ps1'
- '\Check-VM.ps1'
- '\ConvertTo-ROT13.ps1'
- '\Copy-VSS.ps1'
- '\Create-MultipleSessions.ps1'
- '\DNS_TXT_Pwnage.ps1'
- '\dnscat2.ps1'
- '\Do-Exfiltration.ps1'
- '\DomainPasswordSpray.ps1'
- '\Download_Execute.ps1'
- '\Download-Execute-PS.ps1'
- '\Enable-DuplicateToken.ps1'
- '\Enabled-DuplicateToken.ps1'
- '\Execute-Command-MSSQL.ps1'
- '\Execute-DNSTXT-Code.ps1'
- '\Execute-OnTime.ps1'
- '\ExetoText.ps1'
- '\Exploit-Jboss.ps1'
- '\Find-AVSignature.ps1'
- '\Find-Fruit.ps1'
- '\Find-GPOLocation.ps1'
- '\Find-TrustedDocuments.ps1'
- '\FireBuster.ps1'
- '\FireListener.ps1'
- '\Get-ApplicationHost.ps1'
- '\Get-ChromeDump.ps1'
- '\Get-ClipboardContents.ps1'
- '\Get-ComputerDetail.ps1'
- '\Get-FoxDump.ps1'
- '\Get-GPPAutologon.ps1'
- '\Get-GPPPassword.ps1'
- '\Get-IndexedItem.ps1'
- '\Get-Keystrokes.ps1'
- '\Get-LSASecret.ps1'
- '\Get-MicrophoneAudio.ps1'
- '\Get-PassHashes.ps1'
- '\Get-PassHints.ps1'
- '\Get-RegAlwaysInstallElevated.ps1'
- '\Get-RegAutoLogon.ps1'
- '\Get-RickAstley.ps1'
- '\Get-Screenshot.ps1'
- '\Get-SecurityPackages.ps1'
- '\Get-ServiceFilePermission.ps1'
- '\Get-ServicePermission.ps1'
- '\Get-ServiceUnquoted.ps1'
- '\Get-SiteListPassword.ps1'
- '\Get-System.ps1'
- '\Get-TimedScreenshot.ps1'
- '\Get-UnattendedInstallFile.ps1'
- '\Get-Unconstrained.ps1'
- '\Get-USBKeystrokes.ps1'
- '\Get-VaultCredential.ps1'
- '\Get-VulnAutoRun.ps1'
- '\Get-VulnSchTask.ps1'
- '\Get-WebConfig.ps1'
- '\Get-WebCredentials.ps1'
- '\Get-WLAN-Keys.ps1'
- '\Gupt-Backdoor.ps1'
- '\HTTP-Backdoor.ps1'
- '\HTTP-Login.ps1'
- '\Install-ServiceBinary.ps1'
- '\Install-SSP.ps1'
- '\Invoke-ACLScanner.ps1'
- '\Invoke-ADSBackdoor.ps1'
- '\Invoke-AmsiBypass.ps1'
- '\Invoke-ARPScan.ps1'
- '\Invoke-BackdoorLNK.ps1'
- '\Invoke-BadPotato.ps1'
- '\Invoke-BetterSafetyKatz.ps1'
- '\Invoke-BruteForce.ps1'
- '\Invoke-BypassUAC.ps1'
- '\Invoke-Carbuncle.ps1'
- '\Invoke-Certify.ps1'
- '\Invoke-ConPtyShell.ps1'
- '\Invoke-CredentialInjection.ps1'
- '\Invoke-CredentialsPhish.ps1'
- '\Invoke-DAFT.ps1'
- '\Invoke-DCSync.ps1'
- '\Invoke-Decode.ps1'
- '\Invoke-DinvokeKatz.ps1'
- '\Invoke-DllInjection.ps1'
- '\Invoke-DNSExfiltrator.ps1'
- '\Invoke-DNSUpdate.ps1'
- '\Invoke-DowngradeAccount.ps1'
- '\Invoke-EgressCheck.ps1'
- '\Invoke-Encode.ps1'
- '\Invoke-EventViewer.ps1'
- '\Invoke-Eyewitness.ps1'
- '\Invoke-FakeLogonScreen.ps1'
- '\Invoke-Farmer.ps1'
- '\Invoke-Get-RBCD-Threaded.ps1'
- '\Invoke-Gopher.ps1'
- '\Invoke-Grouper2.ps1'
- '\Invoke-Grouper3.ps1'
- '\Invoke-HandleKatz.ps1'
- '\Invoke-Interceptor.ps1'
- '\Invoke-Internalmonologue.ps1'
- '\Invoke-Inveigh.ps1'
- '\Invoke-InveighRelay.ps1'
- '\Invoke-JSRatRegsvr.ps1'
- '\Invoke-JSRatRundll.ps1'
- '\Invoke-KrbRelay.ps1'
- '\Invoke-KrbRelayUp.ps1'
- '\Invoke-LdapSignCheck.ps1'
- '\Invoke-Lockless.ps1'
- '\Invoke-MalSCCM.ps1'
- '\Invoke-Mimikatz.ps1'
- '\Invoke-MimikatzWDigestDowngrade.ps1'
- '\Invoke-Mimikittenz.ps1'
- '\Invoke-MITM6.ps1'
- '\Invoke-NanoDump.ps1'
- '\Invoke-NetRipper.ps1'
- '\Invoke-NetworkRelay.ps1'
- '\Invoke-NinjaCopy.ps1'
- '\Invoke-OxidResolver.ps1'
- '\Invoke-P0wnedshell.ps1'
- '\Invoke-P0wnedshellx86.ps1'
- '\Invoke-Paranoia.ps1'
- '\Invoke-PortScan.ps1'
- '\Invoke-PoshRatHttp.ps1'
- '\Invoke-PoshRatHttps.ps1'
- '\Invoke-PostExfil.ps1'
- '\Invoke-PowerDump.ps1'
- '\Invoke-PowerDPAPI.ps1'
- '\Invoke-PowerShellIcmp.ps1'
- '\Invoke-PowerShellTCP.ps1'
- '\Invoke-PowerShellTcpOneLine.ps1'
- '\Invoke-PowerShellTcpOneLineBind.ps1'
- '\Invoke-PowerShellUdp.ps1'
- '\Invoke-PowerShellUdpOneLine.ps1'
- '\Invoke-PowerShellWMI.ps1'
- '\Invoke-PowerThIEf.ps1'
- '\Invoke-PPLDump.ps1'
- '\Invoke-Prasadhak.ps1'
- '\Invoke-PsExec.ps1'
- '\Invoke-PsGcat.ps1'
- '\Invoke-PsGcatAgent.ps1'
- '\Invoke-PSInject.ps1'
- '\Invoke-PsUaCme.ps1'
- '\Invoke-ReflectivePEInjection.ps1'
- '\Invoke-ReverseDNSLookup.ps1'
- '\Invoke-Rubeus.ps1'
- '\Invoke-RunAs.ps1'
- '\Invoke-SafetyKatz.ps1'
- '\Invoke-SauronEye.ps1'
- '\Invoke-SCShell.ps1'
- '\Invoke-Seatbelt.ps1'
- '\Invoke-ServiceAbuse.ps1'
- '\Invoke-SessionGopher.ps1'
- '\Invoke-ShellCode.ps1'
- '\Invoke-SMBScanner.ps1'
- '\Invoke-Snaffler.ps1'
- '\Invoke-Spoolsample.ps1'
- '\Invoke-SSHCommand.ps1'
- '\Invoke-SSIDExfil.ps1'
- '\Invoke-StandIn.ps1'
- '\Invoke-StickyNotesExtract.ps1'
- '\Invoke-Tater.ps1'
- '\Invoke-Thunderfox.ps1'
- '\Invoke-ThunderStruck.ps1'
- '\Invoke-TokenManipulation.ps1'
- '\Invoke-Tokenvator.ps1'
- '\Invoke-TotalExec.ps1'
- '\Invoke-UrbanBishop.ps1'
- '\Invoke-UserHunter.ps1'
- '\Invoke-VoiceTroll.ps1'
- '\Invoke-Whisker.ps1'
- '\Invoke-WinEnum.ps1'
- '\Invoke-winPEAS.ps1'
- '\Invoke-WireTap.ps1'
- '\Invoke-WmiCommand.ps1'
- '\Invoke-WScriptBypassUAC.ps1'
- '\Invoke-Zerologon.ps1'
- '\Keylogger.ps1'
- '\MailRaider.ps1'
- '\New-HoneyHash.ps1'
- '\OfficeMemScraper.ps1'
- '\Offline_Winpwn.ps1'
- '\Out-CHM.ps1'
- '\Out-DnsTxt.ps1'
- '\Out-Excel.ps1'
- '\Out-HTA.ps1'
- '\Out-Java.ps1'
- '\Out-JS.ps1'
- '\Out-Minidump.ps1'
- '\Out-RundllCommand.ps1'
- '\Out-SCF.ps1'
- '\Out-SCT.ps1'
- '\Out-Shortcut.ps1'
- '\Out-WebQuery.ps1'
- '\Out-Word.ps1'
- '\Parse_Keys.ps1'
- '\Port-Scan.ps1'
- '\PowerBreach.ps1'
- '\powercat.ps1'
- '\Powermad.ps1'
- '\PowerRunAsSystem.psm1'
- '\PowerSharpPack.ps1'
- '\PowerUp.ps1'
- '\PowerUpSQL.ps1'
- '\PowerView.ps1'
- '\PSAsyncShell.ps1'
- '\RemoteHashRetrieval.ps1'
- '\Remove-Persistence.ps1'
- '\Remove-PoshRat.ps1'
- '\Remove-Update.ps1'
- '\Run-EXEonRemote.ps1'
- '\Schtasks-Backdoor.ps1'
- '\Set-DCShadowPermissions.ps1'
- '\Set-MacAttribute.ps1'
- '\Set-RemotePSRemoting.ps1'
- '\Set-RemoteWMI.ps1'
- '\Set-Wallpaper.ps1'
- '\Show-TargetScreen.ps1'
- '\Speak.ps1'
- '\Start-CaptureServer.ps1'
- '\Start-WebcamRecorder.ps1'
- '\StringToBase64.ps1'
- '\TexttoExe.ps1'
- '\Veeam-Get-Creds.ps1'
- '\VolumeShadowCopyTools.ps1'
- '\WinPwn.ps1'
- '\WSUSpendu.ps1'
selection_invoke_sharp:
TargetFilename|contains: 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
TargetFilename|endswith: '.ps1'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high