EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Malicious Nishang PowerShell Commandlets

Detects Commandlet names and arguments from the Nishang exploitation framework

MITRE ATT&CK

T1059.001
execution

Detection Query

selection:
  ScriptBlockText|contains:
    - Add-ConstrainedDelegationBackdoor
    - Copy-VSS
    - Create-MultipleSessions
    - DataToEncode
    - DNS_TXT_Pwnage
    - Do-Exfiltration-Dns
    - Download_Execute
    - Download-Execute-PS
    - DownloadAndExtractFromRemoteRegistry
    - DumpCerts
    - DumpCreds
    - DumpHashes
    - Enable-DuplicateToken
    - Enable-Duplication
    - Execute-Command-MSSQL
    - Execute-DNSTXT-Code
    - Execute-OnTime
    - ExetoText
    - exfill
    - ExfilOption
    - FakeDC
    - FireBuster
    - FireListener
    - "Get-Information "
    - Get-PassHints
    - Get-Web-Credentials
    - Get-WebCredentials
    - Get-WLAN-Keys
    - HTTP-Backdoor
    - Invoke-AmsiBypass
    - Invoke-BruteForce
    - Invoke-CredentialsPhish
    - Invoke-Decode
    - Invoke-Encode
    - Invoke-Interceptor
    - Invoke-JSRatRegsvr
    - Invoke-JSRatRundll
    - Invoke-MimikatzWDigestDowngrade
    - Invoke-NetworkRelay
    - Invoke-PowerShellIcmp
    - Invoke-PowerShellUdp
    - Invoke-Prasadhak
    - Invoke-PSGcat
    - Invoke-PsGcatAgent
    - Invoke-SessionGopher
    - Invoke-SSIDExfil
    - LoggedKeys
    - Nishang
    - NotAllNameSpaces
    - Out-CHM
    - OUT-DNSTXT
    - Out-HTA
    - Out-RundllCommand
    - Out-SCF
    - Out-SCT
    - Out-Shortcut
    - Out-WebQuery
    - Out-Word
    - Parse_Keys
    - Password-List
    - Powerpreter
    - Remove-Persistence
    - Remove-PoshRat
    - Remove-Update
    - Run-EXEonRemote
    - Set-DCShadowPermissions
    - Set-RemotePSRemoting
    - Set-RemoteWMI
    - Shellcode32
    - Shellcode64
    - StringtoBase64
    - TexttoExe
condition: selection

Author

Alec Costello

Created

2019-05-16

Data Sources

windowsps_script

Platforms

windows

References

Tags

attack.executionattack.t1059.001
Raw Content
title: Malicious Nishang PowerShell Commandlets
id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
status: test
description: Detects Commandlet names and arguments from the Nishang exploitation framework
references:
    - https://github.com/samratashok/nishang
author: Alec Costello
date: 2019-05-16
modified: 2023-01-16
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Add-ConstrainedDelegationBackdoor'
            # - 'Add-Persistence' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            # - 'Add-RegBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            # - 'Add-ScrnSaveBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'Copy-VSS'
            - 'Create-MultipleSessions'
            - 'DataToEncode'
            - 'DNS_TXT_Pwnage'
            - 'Do-Exfiltration-Dns'
            - 'Download_Execute'
            - 'Download-Execute-PS'
            - 'DownloadAndExtractFromRemoteRegistry'
            - 'DumpCerts'
            - 'DumpCreds'
            - 'DumpHashes'
            - 'Enable-DuplicateToken'
            - 'Enable-Duplication'
            - 'Execute-Command-MSSQL'
            - 'Execute-DNSTXT-Code'
            - 'Execute-OnTime'
            - 'ExetoText'
            - 'exfill'
            - 'ExfilOption'
            - 'FakeDC'
            - 'FireBuster'
            - 'FireListener'
            - 'Get-Information ' # Space at the end is required. Otherwise, we get FP with Get-InformationBarrierReportDetails or Get-InformationBarrierReportSummary
            # - 'Get-PassHashes' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'Get-PassHints'
            - 'Get-Web-Credentials'
            - 'Get-WebCredentials'
            - 'Get-WLAN-Keys'
            # - 'Gupt-Backdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'HTTP-Backdoor'
            # - 'Invoke-ADSBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'Invoke-AmsiBypass'
            - 'Invoke-BruteForce'
            - 'Invoke-CredentialsPhish'
            - 'Invoke-Decode'
            - 'Invoke-Encode'
            - 'Invoke-Interceptor'
            - 'Invoke-JSRatRegsvr'
            - 'Invoke-JSRatRundll'
            - 'Invoke-MimikatzWDigestDowngrade'
            - 'Invoke-NetworkRelay'
            # - 'Invoke-PortScan' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            # - 'Invoke-PoshRatHttp' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'Invoke-PowerShellIcmp'
            - 'Invoke-PowerShellUdp'
            - 'Invoke-Prasadhak'
            - 'Invoke-PSGcat'
            - 'Invoke-PsGcatAgent'
            # - 'Invoke-PsUACme' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'Invoke-SessionGopher'
            - 'Invoke-SSIDExfil'
            # - Jitter  # Prone to FPs
            # - 'Keylogger' # Too generic to be linked to Nishang
            - 'LoggedKeys'
            - 'Nishang'
            - 'NotAllNameSpaces' # This is param to "Set-RemoteWMI"
            - 'Out-CHM'
            - 'OUT-DNSTXT'
            - 'Out-HTA'
            - 'Out-RundllCommand'
            - 'Out-SCF'
            - 'Out-SCT'
            - 'Out-Shortcut'
            - 'Out-WebQuery'
            - 'Out-Word'
            - 'Parse_Keys'
            - 'Password-List'
            - 'Powerpreter'
            - 'Remove-Persistence'
            - 'Remove-PoshRat'
            - 'Remove-Update'
            - 'Run-EXEonRemote'
            - 'Set-DCShadowPermissions'
            - 'Set-RemotePSRemoting'
            - 'Set-RemoteWMI'
            - 'Shellcode32'
            - 'Shellcode64'
            - 'StringtoBase64'
            - 'TexttoExe'
    condition: selection
falsepositives:
    - Unknown
level: high