event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
"Add-DomainGroupMember" or "Add-DomainObjectAcl" or
"Add-RemoteConnection" or "Add-ServiceDacl" or
"Add-Win32Type" or "Convert-ADName" or
"Convert-LDAPProperty" or "ConvertFrom-LDAPLogonHours" or
"ConvertFrom-UACValue" or "Copy-ArrayOfMemAddresses" or
"Create-NamedPipe" or "Create-ProcessWithToken" or
"Create-RemoteThread" or "Create-SuspendedWinLogon" or
"Create-WinLogonProcess" or "Emit-CallThreadStub" or
"Enable-SeAssignPrimaryTokenPrivilege" or "Enable-SeDebugPrivilege" or
"Enum-AllTokens" or "Export-PowerViewCSV" or
"Find-AVSignature" or "Find-AppLockerLog" or
"Find-DomainLocalGroupMember" or "Find-DomainObjectPropertyOutlier" or
"Find-DomainProcess" or "Find-DomainShare" or
"Find-DomainUserEvent" or "Find-DomainUserLocation" or
"Find-InterestingDomainAcl" or "Find-InterestingDomainShareFile" or
"Find-InterestingFile" or "Find-LocalAdminAccess" or
"Find-PSScriptsInPSAppLog" or "Find-PathDLLHijack" or
"Find-ProcessDLLHijack" or "Find-RDPClientConnection" or
"Get-AllAttributesForClass" or "Get-CachedGPPPassword" or
"Get-DecryptedCpassword" or "Get-DecryptedSitelistPassword" or
"Get-DelegateType" or "New-RelayEnumObject" or
"Get-DomainDFSShare" or "Get-DomainDFSShareV1" or
"Get-DomainDFSShareV2" or "Get-DomainDNSRecord" or
"Get-DomainDNSZone" or "Get-DomainFileServer" or
"Get-DomainForeignGroupMember" or "Get-DomainForeignUser" or
"Get-DomainGPO" or "Get-DomainGPOComputerLocalGroupMapping" or
"Get-DomainGPOLocalGroup" or "Get-DomainGPOUserLocalGroupMapping" or
"Get-DomainGUIDMap" or "Get-DomainGroup" or
"Get-DomainGroupMember" or "Get-DomainGroupMemberDeleted" or
"Get-DomainManagedSecurityGroup" or "Get-DomainOU" or
"Get-DomainObject" or "Get-DomainObjectAcl" or
"Get-DomainObjectAttributeHistory" or "Get-DomainObjectLinkedAttributeHistory" or
"Get-DomainPolicyData" or "Get-DomainSID" or
"Get-DomainSPNTicket" or "Get-DomainSearcher" or
"Get-DomainSite" or "Get-DomainSubnet" or
"Get-DomainTrust" or "Get-DomainTrustMapping" or
"Get-DomainUser" or "Get-DomainUserEvent" or
"Get-Forest" or "Get-ForestDomain" or
"Get-ForestGlobalCatalog" or "Get-ForestSchemaClass" or
"Get-ForestTrust" or "Get-GPODelegation" or
"Get-GPPAutologon" or "Get-GPPInnerField" or
"Get-GPPInnerFields" or "Get-GPPPassword" or
"Get-GptTmpl" or "Get-GroupsXML" or
"Get-HttpStatus" or "Get-ImageNtHeaders" or
"Get-Keystrokes" or "New-SOASerialNumberArray" or
"Get-MemoryProcAddress" or "Get-MicrophoneAudio" or
"Get-ModifiablePath" or "Get-ModifiableRegistryAutoRun" or
"Get-ModifiableScheduledTaskFile" or "Get-ModifiableService" or
"Get-ModifiableServiceFile" or "Get-Name" or
"Get-NetComputerSiteName" or "Get-NetLocalGroup" or
"Get-NetLocalGroupMember" or "Get-NetLoggedon" or
"Get-NetRDPSession" or "Get-NetSession" or
"Get-NetShare" or "Get-PEArchitecture" or
"Get-PEBasicInfo" or "Get-PEDetailedInfo" or
"Get-PathAcl" or "Get-PrimaryToken" or
"Get-ProcAddress" or "Get-ProcessTokenGroup" or
"Get-ProcessTokenPrivilege" or "Get-ProcessTokenType" or
"Get-RegLoggedOn" or "Get-RegistryAlwaysInstallElevated" or
"Get-RegistryAutoLogon" or "Get-RemoteProcAddress" or
"Get-Screenshot" or "Get-ServiceDetail" or
"Get-SiteListPassword" or "Get-SitelistField" or
"Get-System" or "Get-SystemNamedPipe" or
"Get-SystemToken" or "Get-ThreadToken" or
"Get-TimedScreenshot" or "Get-TokenInformation" or
"Get-TopPort" or "Get-UnattendedInstallFile" or
"Get-UniqueTokens" or "Get-UnquotedService" or
"Get-VaultCredential" or "Get-VaultElementValue" or
"Get-VirtualProtectValue" or "Get-VolumeShadowCopy" or
"Get-WMIProcess" or "Get-WMIRegCachedRDPConnection" or
"Get-WMIRegLastLoggedOn" or "Get-WMIRegMountedDrive" or
"Get-WMIRegProxy" or "Get-WebConfig" or
"Get-Win32Constants" or "Get-Win32Functions" or
"Get-Win32Types" or "Import-DllImports" or
"Import-DllInRemoteProcess" or "Inject-LocalShellcode" or
"Inject-RemoteShellcode" or "Install-ServiceBinary" or
"Invoke-CompareAttributesForClass" or "Invoke-CreateRemoteThread" or
"Invoke-CredentialInjection" or "Invoke-DllInjection" or
"Invoke-EventVwrBypass" or "Invoke-ImpersonateUser" or
"Invoke-Kerberoast" or "Invoke-MemoryFreeLibrary" or
"Invoke-MemoryLoadLibrary" or
"Invoke-Mimikatz" or "Invoke-NinjaCopy" or
"Invoke-PatchDll" or "Invoke-Portscan" or
"Invoke-PrivescAudit" or "Invoke-ReflectivePEInjection" or
"Invoke-ReverseDnsLookup" or "Invoke-RevertToSelf" or
"Invoke-ServiceAbuse" or "Invoke-Shellcode" or
"Invoke-TokenManipulation" or "Invoke-UserImpersonation" or
"Invoke-WmiCommand" or "Mount-VolumeShadowCopy" or
"New-ADObjectAccessControlEntry" or "New-DomainGroup" or
"New-DomainUser" or "New-DynamicParameter" or
"New-InMemoryModule" or
"New-ThreadedFunction" or "New-VolumeShadowCopy" or
"Out-CompressedDll" or "Out-EncodedCommand" or
"Out-EncryptedScript" or "Out-Minidump" or
"PortScan-Alive" or "Portscan-Port" or
"Remove-DomainGroupMember" or "Remove-DomainObjectAcl" or
"Remove-RemoteConnection" or "Remove-VolumeShadowCopy" or
"Restore-ServiceBinary" or "Set-DesktopACLToAllowEveryone" or
"Set-DesktopACLs" or "Set-DomainObject" or
"Set-DomainObjectOwner" or "Set-DomainUserPassword" or
"Set-ServiceBinaryPath" or "Sub-SignedIntAsUnsigned" or
"Test-AdminAccess" or "Test-MemoryRangeValid" or
"Test-ServiceDaclPermission" or "Update-ExeFunctions" or
"Update-MemoryAddresses" or "Update-MemoryProtectionFlags" or
"Write-BytesToMemory" or "Write-HijackDll" or
"Write-PortscanOut" or "Write-ServiceBinary" or
"Write-UserAddMSI" or "Invoke-Privesc" or
"func_get_proc_address" or "Invoke-BloodHound" or
"Invoke-HostEnum" or "Get-BrowserInformation" or
"Get-DomainAccountPolicy" or "Get-DomainAdmins" or
"Get-AVProcesses" or "Get-AVInfo" or
"Get-RecycleBin" or "Invoke-BruteForce" or
"Get-PassHints" or "Invoke-SessionGopher" or
"Get-LSASecret" or "Get-PassHashes" or
"Invoke-WdigestDowngrade" or "Get-ChromeDump" or
"Invoke-DomainPasswordSpray" or "Get-FoxDump" or
"New-HoneyHash" or "Invoke-DCSync" or
"Invoke-PowerDump" or "Invoke-SSIDExfil" or
"Invoke-PowerShellTCP" or "Add-Exfiltration" or
"Do-Exfiltration" or "Invoke-DropboxUpload" or
"Invoke-ExfilDataToGitHub" or "Invoke-EgressCheck" or
"Invoke-PostExfil" or "Create-MultipleSessions" or
"Invoke-NetworkRelay" or "New-GPOImmediateTask" or
"Invoke-WMIDebugger" or "Invoke-SQLOSCMD" or
"Invoke-SMBExec" or "Invoke-PSRemoting" or
"Invoke-ExecuteMSBuild" or "Invoke-DCOM" or
"Invoke-InveighRelay" or "Invoke-PsExec" or
"Find-ActiveUsersWMI" or
"Get-SystemDrivesWMI" or "Get-ActiveNICSWMI" or
"Remove-Persistence" or "DNS_TXT_Pwnage" or
"Execute-OnTime" or "HTTP-Backdoor" or
"Add-ConstrainedDelegationBackdoor" or "Add-RegBackdoor" or
"Add-ScrnSaveBackdoor" or "Gupt-Backdoor" or
"Invoke-ADSBackdoor" or "Add-Persistence" or
"Invoke-ResolverBackdoor" or "Invoke-EventLogBackdoor" or
"Invoke-DeadUserBackdoor" or "Invoke-DisableMachineAcctChange" or
"Invoke-AccessBinary" or "Add-NetUser" or
"Invoke-Schtasks" or "Invoke-JSRatRegsvr" or
"Invoke-JSRatRundll" or "Invoke-PoshRatHttps" or
"Invoke-PsGcatAgent" or "Remove-PoshRat" or
"Install-SSP" or "Invoke-BackdoorLNK" or
"PowerBreach" or "InstallEXE-Persistence" or
"RemoveEXE-Persistence" or "Install-ServiceLevel-Persistence" or
"Remove-ServiceLevel-Persistence" or "Invoke-Prompt" or
"Invoke-PacketCapture" or "Start-WebcamRecorder" or
"Get-USBKeyStrokes" or "Invoke-KeeThief" or
"Get-Keystrokes" or "Invoke-NetRipper" or
"Get-EmailItems" or "Invoke-MailSearch" or
"Invoke-SearchGAL" or "Get-WebCredentials" or
"Start-CaptureServer" or "Invoke-PowerShellIcmp" or
"Invoke-PowerShellTcpOneLine" or "Invoke-PowerShellTcpOneLineBind" or
"Invoke-PowerShellUdp" or "Invoke-PowerShellUdpOneLine" or
"Run-EXEonRemote" or "Download-Execute-PS" or
"Out-RundllCommand" or "Set-RemoteWMI" or
"Set-DCShadowPermissions" or "Invoke-PowerShellWMI" or
"Invoke-Vnc" or "Invoke-LockWorkStation" or
"Invoke-EternalBlue" or "Invoke-ShellcodeMSIL" or
"Invoke-MetasploitPayload" or "Invoke-DowngradeAccount" or
"Invoke-RunAs" or "ExetoText" or
"Disable-SecuritySettings" or "Set-MacAttribute" or
"Invoke-MS16032" or "Invoke-BypassUACTokenManipulation" or
"Invoke-SDCLTBypass" or "Invoke-FodHelperBypass" or
"Invoke-EventVwrBypass" or "Invoke-EnvBypass" or
"Get-ServiceUnquoted" or "Get-ServiceFilePermission" or
"Get-ServicePermission" or
"Enable-DuplicateToken" or "Invoke-PsUaCme" or
"Invoke-Tater" or "Invoke-WScriptBypassUAC" or
"Invoke-AllChecks" or "Find-TrustedDocuments" or
"Invoke-Interceptor" or "Invoke-PoshRatHttp" or
"Invoke-ExecCommandWMI" or "Invoke-KillProcessWMI" or
"Invoke-CreateShareandExecute" or "Invoke-RemoteScriptWithOutput" or
"Invoke-SchedJobManipulation" or "Invoke-ServiceManipulation" or
"Invoke-PowerOptionsWMI" or "Invoke-DirectoryListing" or
"Invoke-FileTransferOverWMI" or "Invoke-WMImplant" or
"Invoke-WMIObfuscatedPSCommand" or "Invoke-WMIDuplicateClass" or
"Invoke-WMIUpload" or "Invoke-WMIRemoteExtract" or "Invoke-winPEAS" or
"Invoke-AzureHound" or "Invoke-SharpHound"
) and
not powershell.file.script_block_text : (
"sentinelbreakpoints" and "Set-PSBreakpoint"
) and
not user.id : ("S-1-5-18" or "S-1-5-19")
Install detection rules in Elastic Security
Detect Potential PowerShell HackTool Script by Function Names in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).