Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
PowerView PowerShell Cmdlets - ScriptBlock
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
PowerView PowerShell Cmdlets - ScriptBlock
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: PowerView PowerShell Cmdlets - ScriptBlock
id: dcd74b95-3f36-4ed9-9598-0490951643aa
related:
- id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d
type: similar
status: test
description: Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.
references:
- https://powersploit.readthedocs.io/en/stable/Recon/README
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
- https://thedfirreport.com/2020/10/08/ryuks-return
- https://adsecurity.org/?p=2277
author: Bhabesh Raj
date: 2021-05-18
modified: 2023-11-22
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Export-PowerViewCSV'
- 'Find-DomainLocalGroupMember'
- 'Find-DomainObjectPropertyOutlier'
- 'Find-DomainProcess'
- 'Find-DomainShare'
- 'Find-DomainUserEvent'
- 'Find-DomainUserLocation'
- 'Find-ForeignGroup'
- 'Find-ForeignUser'
- 'Find-GPOComputerAdmin'
- 'Find-GPOLocation'
- 'Find-InterestingDomain' # Covers: Find-InterestingDomainAcl, Find-InterestingDomainShareFile
- 'Find-InterestingFile'
- 'Find-LocalAdminAccess'
- 'Find-ManagedSecurityGroups'
- 'Get-CachedRDPConnection'
- 'Get-DFSshare'
- 'Get-DomainDFSShare'
- 'Get-DomainDNSRecord'
- 'Get-DomainDNSZone'
- 'Get-DomainFileServer'
- 'Get-DomainGPOComputerLocalGroupMapping'
- 'Get-DomainGPOLocalGroup'
- 'Get-DomainGPOUserLocalGroupMapping'
- 'Get-LastLoggedOn'
- 'Get-LoggedOnLocal'
- 'Get-NetFileServer'
- 'Get-NetForest' # Covers: Get-NetForestCatalog, Get-NetForestDomain, Get-NetForestTrust
- 'Get-NetGPOGroup'
- 'Get-NetProcess'
- 'Get-NetRDPSession'
- 'Get-RegistryMountedDrive'
- 'Get-RegLoggedOn'
- 'Get-WMIRegCachedRDPConnection'
- 'Get-WMIRegLastLoggedOn'
- 'Get-WMIRegMountedDrive'
- 'Get-WMIRegProxy'
- 'Invoke-ACLScanner'
- 'Invoke-CheckLocalAdminAccess'
- 'Invoke-EnumerateLocalAdmin'
- 'Invoke-EventHunter'
- 'Invoke-FileFinder'
- 'Invoke-Kerberoast'
- 'Invoke-MapDomainTrust'
- 'Invoke-ProcessHunter'
- 'Invoke-RevertToSelf'
- 'Invoke-ShareFinder'
- 'Invoke-UserHunter'
- 'Invoke-UserImpersonation'
- 'Remove-RemoteConnection'
- 'Request-SPNTicket'
- 'Resolve-IPAddress'
# - 'Get-ADObject' # prone to FPs
# - 'Get-Domain' # too many FPs # Covers Cmdlets like: DomainComputer, DomainController, DomainDFSShare, DomainDNSRecord, DomainGPO, etc.
# - 'Add-DomainGroupMember'
# - 'Add-DomainObjectAcl'
# - 'Add-ObjectAcl'
# - 'Add-RemoteConnection'
# - 'Convert-ADName'
# - 'Convert-NameToSid'
# - 'ConvertFrom-UACValue'
# - 'ConvertTo-SID'
# - 'Get-DNSRecord'
# - 'Get-DNSZone'
# - 'Get-DomainComputer'
# - 'Get-DomainController'
# - 'Get-DomainGroup'
# - 'Get-DomainGroupMember'
# - 'Get-DomainManagedSecurityGroup'
# - 'Get-DomainObject'
# - 'Get-DomainObjectAcl'
# - 'Get-DomainOU'
# - 'Get-DomainPolicy'
# - 'Get-DomainSID'
# - 'Get-DomainSite'
# - 'Get-DomainSPNTicket'
# - 'Get-DomainSubnet'
# - 'Get-DomainUser'
# - 'Get-DomainUserEvent'
# - 'Get-Forest' # Covers: Get-ForestDomain, Get-ForestGlobalCatalog, Get-ForestTrust
# - 'Get-IPAddress'
# - 'Get-NetComputer' # Covers: Get-NetComputerSiteName
# - 'Get-NetDomain' # Covers: Get-NetDomainController, Get-NetDomainTrust
# - 'Get-NetGroup' # Covers: Get-NetGroupMember
# - 'Get-NetLocalGroup' # Covers: NetLocalGroupMember
# - 'Get-NetLoggedon'
# - 'Get-NetOU'
# - 'Get-NetSession'
# - 'Get-NetShare'
# - 'Get-NetSite'
# - 'Get-NetSubnet'
# - 'Get-NetUser'
# - 'Get-ObjectAcl'
# - 'Get-PathAcl'
# - 'Get-Proxy'
# - 'Get-SiteName'
# - 'Get-UserEvent'
# - 'Get-WMIProcess'
# - 'New-DomainGroup'
# - 'New-DomainUser'
# - 'Set-ADObject'
# - 'Set-DomainObject'
# - 'Set-DomainUserPassword'
# - 'Test-AdminAccess'
condition: selection
falsepositives:
- Unknown
level: high
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml