Detectionhightest
Malicious PowerShell Scripts - PoshModule
Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
François Hubaut, Nasreddine Bencherchali (Nextron Systems)Created Mon Jan 23Updated Wed Dec 1041025fd7-0466-4650-a813-574aaacbe7f4windows
Log Source
WindowsPowerShell Module
ProductWindows← raw: windows
CategoryPowerShell Module← raw: ps_module
Definition
0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
Detection Logic
Detection Logic2 selectors
detection:
selection_generic:
ContextInfo|contains:
- 'Add-ConstrainedDelegationBackdoor.ps1'
- 'Add-Exfiltration.ps1'
- 'Add-Persistence.ps1'
- 'Add-RegBackdoor.ps1'
- 'Add-RemoteRegBackdoor.ps1'
- 'Add-ScrnSaveBackdoor.ps1'
- 'BadSuccessor.ps1'
- 'Check-VM.ps1'
- 'ConvertTo-ROT13.ps1'
- 'Copy-VSS.ps1'
- 'Create-MultipleSessions.ps1'
- 'DNS_TXT_Pwnage.ps1'
- 'dnscat2.ps1'
- 'Do-Exfiltration.ps1'
- 'DomainPasswordSpray.ps1'
- 'Download_Execute.ps1'
- 'Download-Execute-PS.ps1'
- 'Enabled-DuplicateToken.ps1'
- 'Enable-DuplicateToken.ps1'
- 'Execute-Command-MSSQL.ps1'
- 'Execute-DNSTXT-Code.ps1'
- 'Execute-OnTime.ps1'
- 'ExetoText.ps1'
- 'Exploit-Jboss.ps1'
- 'Find-AVSignature.ps1'
- 'Find-Fruit.ps1'
- 'Find-GPOLocation.ps1'
- 'Find-TrustedDocuments.ps1'
- 'FireBuster.ps1'
- 'FireListener.ps1'
- 'Get-ApplicationHost.ps1'
- 'Get-ChromeDump.ps1'
- 'Get-ClipboardContents.ps1'
- 'Get-ComputerDetail.ps1'
- 'Get-FoxDump.ps1'
- 'Get-GPPAutologon.ps1'
- 'Get-GPPPassword.ps1'
- 'Get-IndexedItem.ps1'
- 'Get-Keystrokes.ps1'
- 'Get-LSASecret.ps1'
- 'Get-MicrophoneAudio.ps1'
- 'Get-PassHashes.ps1'
- 'Get-PassHints.ps1'
- 'Get-RegAlwaysInstallElevated.ps1'
- 'Get-RegAutoLogon.ps1'
- 'Get-RickAstley.ps1'
- 'Get-Screenshot.ps1'
- 'Get-SecurityPackages.ps1'
- 'Get-ServiceFilePermission.ps1'
- 'Get-ServicePermission.ps1'
- 'Get-ServiceUnquoted.ps1'
- 'Get-SiteListPassword.ps1'
- 'Get-System.ps1'
- 'Get-TimedScreenshot.ps1'
- 'Get-UnattendedInstallFile.ps1'
- 'Get-Unconstrained.ps1'
- 'Get-USBKeystrokes.ps1'
- 'Get-VaultCredential.ps1'
- 'Get-VulnAutoRun.ps1'
- 'Get-VulnSchTask.ps1'
- 'Get-WebConfig.ps1'
- 'Get-WebCredentials.ps1'
- 'Get-WLAN-Keys.ps1'
- 'Gupt-Backdoor.ps1'
- 'HTTP-Backdoor.ps1'
- 'HTTP-Login.ps1'
- 'Install-ServiceBinary.ps1'
- 'Install-SSP.ps1'
- 'Invoke-ACLScanner.ps1'
- 'Invoke-ADSBackdoor.ps1'
- 'Invoke-AmsiBypass.ps1'
- 'Invoke-ARPScan.ps1'
- 'Invoke-BackdoorLNK.ps1'
- 'Invoke-BadPotato.ps1'
- 'Invoke-BetterSafetyKatz.ps1'
- 'Invoke-BruteForce.ps1'
- 'Invoke-BypassUAC.ps1'
- 'Invoke-Carbuncle.ps1'
- 'Invoke-Certify.ps1'
- 'Invoke-ConPtyShell.ps1'
- 'Invoke-CredentialInjection.ps1'
- 'Invoke-CredentialsPhish.ps1'
- 'Invoke-DAFT.ps1'
- 'Invoke-DCSync.ps1'
- 'Invoke-Decode.ps1'
- 'Invoke-DinvokeKatz.ps1'
- 'Invoke-DllInjection.ps1'
- 'Invoke-DNSExfiltrator.ps1'
- 'Invoke-DowngradeAccount.ps1'
- 'Invoke-EgressCheck.ps1'
- 'Invoke-Encode.ps1'
- 'Invoke-EventViewer.ps1'
- 'Invoke-Eyewitness.ps1'
- 'Invoke-FakeLogonScreen.ps1'
- 'Invoke-Farmer.ps1'
- 'Invoke-Get-RBCD-Threaded.ps1'
- 'Invoke-Gopher.ps1'
- 'Invoke-Grouper2.ps1'
- 'Invoke-Grouper3.ps1'
- 'Invoke-HandleKatz.ps1'
- 'Invoke-Interceptor.ps1'
- 'Invoke-Internalmonologue.ps1'
- 'Invoke-Inveigh.ps1'
- 'Invoke-InveighRelay.ps1'
- 'Invoke-JSRatRegsvr.ps1'
- 'Invoke-JSRatRundll.ps1'
- 'Invoke-KrbRelay.ps1'
- 'Invoke-KrbRelayUp.ps1'
- 'Invoke-LdapSignCheck.ps1'
- 'Invoke-Lockless.ps1'
- 'Invoke-MalSCCM.ps1'
- 'Invoke-Mimikatz.ps1'
- 'Invoke-MimikatzWDigestDowngrade.ps1'
- 'Invoke-Mimikittenz.ps1'
- 'Invoke-MITM6.ps1'
- 'Invoke-NanoDump.ps1'
- 'Invoke-NetRipper.ps1'
- 'Invoke-NetworkRelay.ps1'
- 'Invoke-NinjaCopy.ps1'
- 'Invoke-OxidResolver.ps1'
- 'Invoke-P0wnedshell.ps1'
- 'Invoke-P0wnedshellx86.ps1'
- 'Invoke-Paranoia.ps1'
- 'Invoke-PortScan.ps1'
- 'Invoke-PoshRatHttp.ps1'
- 'Invoke-PoshRatHttps.ps1'
- 'Invoke-PostExfil.ps1'
- 'Invoke-PowerDump.ps1'
- 'Invoke-PowerDPAPI.ps1'
- 'Invoke-PowerShellIcmp.ps1'
- 'Invoke-PowerShellTCP.ps1'
- 'Invoke-PowerShellTcpOneLine.ps1'
- 'Invoke-PowerShellTcpOneLineBind.ps1'
- 'Invoke-PowerShellUdp.ps1'
- 'Invoke-PowerShellUdpOneLine.ps1'
- 'Invoke-PowerShellWMI.ps1'
- 'Invoke-PowerThIEf.ps1'
- 'Invoke-PPLDump.ps1'
- 'Invoke-Prasadhak.ps1'
- 'Invoke-PsExec.ps1'
- 'Invoke-PsGcat.ps1'
- 'Invoke-PsGcatAgent.ps1'
- 'Invoke-PSInject.ps1'
- 'Invoke-PsUaCme.ps1'
- 'Invoke-ReflectivePEInjection.ps1'
- 'Invoke-ReverseDNSLookup.ps1'
- 'Invoke-Rubeus.ps1'
- 'Invoke-RunAs.ps1'
- 'Invoke-SafetyKatz.ps1'
- 'Invoke-SauronEye.ps1'
- 'Invoke-SCShell.ps1'
- 'Invoke-Seatbelt.ps1'
- 'Invoke-ServiceAbuse.ps1'
- 'Invoke-SessionGopher.ps1'
- 'Invoke-ShellCode.ps1'
- 'Invoke-SMBScanner.ps1'
- 'Invoke-Snaffler.ps1'
- 'Invoke-Spoolsample.ps1'
- 'Invoke-SSHCommand.ps1'
- 'Invoke-SSIDExfil.ps1'
- 'Invoke-StandIn.ps1'
- 'Invoke-StickyNotesExtract.ps1'
- 'Invoke-Tater.ps1'
- 'Invoke-Thunderfox.ps1'
- 'Invoke-ThunderStruck.ps1'
- 'Invoke-TokenManipulation.ps1'
- 'Invoke-Tokenvator.ps1'
- 'Invoke-TotalExec.ps1'
- 'Invoke-UrbanBishop.ps1'
- 'Invoke-UserHunter.ps1'
- 'Invoke-VoiceTroll.ps1'
- 'Invoke-Whisker.ps1'
- 'Invoke-WinEnum.ps1'
- 'Invoke-winPEAS.ps1'
- 'Invoke-WireTap.ps1'
- 'Invoke-WmiCommand.ps1'
- 'Invoke-WScriptBypassUAC.ps1'
- 'Invoke-Zerologon.ps1'
- 'Keylogger.ps1'
- 'MailRaider.ps1'
- 'New-HoneyHash.ps1'
- 'OfficeMemScraper.ps1'
- 'Offline_Winpwn.ps1'
- 'Out-CHM.ps1'
- 'Out-DnsTxt.ps1'
- 'Out-Excel.ps1'
- 'Out-HTA.ps1'
- 'Out-Java.ps1'
- 'Out-JS.ps1'
- 'Out-Minidump.ps1'
- 'Out-RundllCommand.ps1'
- 'Out-SCF.ps1'
- 'Out-SCT.ps1'
- 'Out-Shortcut.ps1'
- 'Out-WebQuery.ps1'
- 'Out-Word.ps1'
- 'Parse_Keys.ps1'
- 'Port-Scan.ps1'
- 'PowerBreach.ps1'
- 'powercat.ps1'
- 'PowerRunAsSystem.psm1'
- 'PowerSharpPack.ps1'
- 'PowerUp.ps1'
- 'PowerUpSQL.ps1'
- 'PowerView.ps1'
- 'PSAsyncShell.ps1'
- 'RemoteHashRetrieval.ps1'
- 'Remove-Persistence.ps1'
- 'Remove-PoshRat.ps1'
- 'Remove-Update.ps1'
- 'Run-EXEonRemote.ps1'
- 'Schtasks-Backdoor.ps1'
- 'Set-DCShadowPermissions.ps1'
- 'Set-MacAttribute.ps1'
- 'Set-RemotePSRemoting.ps1'
- 'Set-RemoteWMI.ps1'
- 'Set-Wallpaper.ps1'
- 'Show-TargetScreen.ps1'
- 'Speak.ps1'
- 'Start-CaptureServer.ps1'
- 'Start-WebcamRecorder.ps1'
- 'StringToBase64.ps1'
- 'TexttoExe.ps1'
- 'Veeam-Get-Creds.ps1'
- 'VolumeShadowCopyTools.ps1'
- 'WinPwn.ps1'
- 'WSUSpendu.ps1'
selection_invoke_sharp:
ContextInfo|contains|all:
- 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
- '.ps1'
condition: 1 of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
1234567891011121314151617181920
Resolving title…
github.comResolving title…
github.comResolving title…
github.comResolving title…
web.archive.orgResolving title…
github.comResolving title…
github.comResolving title…
github.comResolving title…
github.comResolving title…
github.comResolving title…
github.comResolving title…
github.comResolving title…
unit42.paloaltonetworks.comResolving title…
research.nccgroup.comResolving title…
github.comResolving title…
github.comResolving title…
github.comResolving title…
github.comResolving title…
github.comResolving title…
github.comResolving title…
github.comMITRE ATT&CK
Tactics
Sub-techniques
Related Rules
SimilarDetectionhigh
Malicious PowerShell Scripts - FileCreation
Detects the creation of known offensive powershell scripts used for exploitation
Detects similar activity. Both rules may fire on overlapping events.
Similar
Rule not foundbf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
Rule Metadata
Rule ID
41025fd7-0466-4650-a813-574aaacbe7f4
Status
test
Level
high
Type
Detection
Created
Mon Jan 23
Modified
Wed Dec 10
Path
rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml
Raw Tags
attack.executionattack.t1059.001