← Back to Explore
sigmamediumHunting
Malicious PowerShell Keywords
Detects keywords from well-known PowerShell exploitation frameworks
Detection Query
selection:
ScriptBlockText|contains:
- AdjustTokenPrivileges
- IMAGE_NT_OPTIONAL_HDR64_MAGIC
- Metasploit
- Microsoft.Win32.UnsafeNativeMethods
- Mimikatz
- MiniDumpWriteDump
- PAGE_EXECUTE_READ
- ReadProcessMemory.Invoke
- SE_PRIVILEGE_ENABLED
- SECURITY_DELEGATION
- TOKEN_ADJUST_PRIVILEGES
- TOKEN_ALL_ACCESS
- TOKEN_ASSIGN_PRIMARY
- TOKEN_DUPLICATE
- TOKEN_ELEVATION
- TOKEN_IMPERSONATE
- TOKEN_INFORMATION_CLASS
- TOKEN_PRIVILEGES
- TOKEN_QUERY
condition: selection
Author
Sean Metcalf (source), Florian Roth (Nextron Systems)
Created
2017-03-05
Data Sources
windowsps_script
Platforms
windows
References
Tags
attack.executionattack.t1059.001
Raw Content
title: Malicious PowerShell Keywords
id: f62176f3-8128-4faa-bf6c-83261322e5eb
status: test
description: Detects keywords from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2023-06-20
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'AdjustTokenPrivileges'
- 'IMAGE_NT_OPTIONAL_HDR64_MAGIC'
# - 'LSA_UNICODE_STRING'
- 'Metasploit'
- 'Microsoft.Win32.UnsafeNativeMethods'
- 'Mimikatz'
- 'MiniDumpWriteDump'
- 'PAGE_EXECUTE_READ'
- 'ReadProcessMemory.Invoke'
- 'SE_PRIVILEGE_ENABLED'
- 'SECURITY_DELEGATION'
- 'TOKEN_ADJUST_PRIVILEGES'
- 'TOKEN_ALL_ACCESS'
- 'TOKEN_ASSIGN_PRIMARY'
- 'TOKEN_DUPLICATE'
- 'TOKEN_ELEVATION'
- 'TOKEN_IMPERSONATE'
- 'TOKEN_INFORMATION_CLASS'
- 'TOKEN_PRIVILEGES'
- 'TOKEN_QUERY'
condition: selection
falsepositives:
- Depending on the scripts, this rule might require some initial tuning to fit the environment
level: medium