Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Malicious Nishang PowerShell Commandlets
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Malicious Nishang PowerShell Commandlets
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Malicious Nishang PowerShell Commandlets
id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
status: test
description: Detects Commandlet names and arguments from the Nishang exploitation framework
references:
- https://github.com/samratashok/nishang
author: Alec Costello
date: 2019-05-16
modified: 2023-01-16
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Add-ConstrainedDelegationBackdoor'
# - 'Add-Persistence' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
# - 'Add-RegBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
# - 'Add-ScrnSaveBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Copy-VSS'
- 'Create-MultipleSessions'
- 'DataToEncode'
- 'DNS_TXT_Pwnage'
- 'Do-Exfiltration-Dns'
- 'Download_Execute'
- 'Download-Execute-PS'
- 'DownloadAndExtractFromRemoteRegistry'
- 'DumpCerts'
- 'DumpCreds'
- 'DumpHashes'
- 'Enable-DuplicateToken'
- 'Enable-Duplication'
- 'Execute-Command-MSSQL'
- 'Execute-DNSTXT-Code'
- 'Execute-OnTime'
- 'ExetoText'
- 'exfill'
- 'ExfilOption'
- 'FakeDC'
- 'FireBuster'
- 'FireListener'
- 'Get-Information ' # Space at the end is required. Otherwise, we get FP with Get-InformationBarrierReportDetails or Get-InformationBarrierReportSummary
# - 'Get-PassHashes' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Get-PassHints'
- 'Get-Web-Credentials'
- 'Get-WebCredentials'
- 'Get-WLAN-Keys'
# - 'Gupt-Backdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'HTTP-Backdoor'
# - 'Invoke-ADSBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Invoke-AmsiBypass'
- 'Invoke-BruteForce'
- 'Invoke-CredentialsPhish'
- 'Invoke-Decode'
- 'Invoke-Encode'
- 'Invoke-Interceptor'
- 'Invoke-JSRatRegsvr'
- 'Invoke-JSRatRundll'
- 'Invoke-MimikatzWDigestDowngrade'
- 'Invoke-NetworkRelay'
# - 'Invoke-PortScan' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
# - 'Invoke-PoshRatHttp' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Invoke-PowerShellIcmp'
- 'Invoke-PowerShellUdp'
- 'Invoke-Prasadhak'
- 'Invoke-PSGcat'
- 'Invoke-PsGcatAgent'
# - 'Invoke-PsUACme' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Invoke-SessionGopher'
- 'Invoke-SSIDExfil'
# - Jitter # Prone to FPs
# - 'Keylogger' # Too generic to be linked to Nishang
- 'LoggedKeys'
- 'Nishang'
- 'NotAllNameSpaces' # This is param to "Set-RemoteWMI"
- 'Out-CHM'
- 'OUT-DNSTXT'
- 'Out-HTA'
- 'Out-RundllCommand'
- 'Out-SCF'
- 'Out-SCT'
- 'Out-Shortcut'
- 'Out-WebQuery'
- 'Out-Word'
- 'Parse_Keys'
- 'Password-List'
- 'Powerpreter'
- 'Remove-Persistence'
- 'Remove-PoshRat'
- 'Remove-Update'
- 'Run-EXEonRemote'
- 'Set-DCShadowPermissions'
- 'Set-RemotePSRemoting'
- 'Set-RemoteWMI'
- 'Shellcode32'
- 'Shellcode64'
- 'StringtoBase64'
- 'TexttoExe'
condition: selection
falsepositives:
- Unknown
level: high
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml