The hypothesis is that the detection of known malicious PowerShell scripts being created indicates an adversary is attempting to execute arbitrary code to gain unauthorized access or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise early in the attack lifecycle.
Detection Rule
title: Malicious PowerShell Scripts - FileCreation
id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
related:
- id: 41025fd7-0466-4650-a813-574aaacbe7f4
type: similar
status: test
description: Detects the creation of known offensive powershell scripts used for exploitation
references:
- https://github.com/PowerShellMafia/PowerSploit
- https://github.com/NetSPI/PowerUpSQL
- https://github.com/CsEnox/EventViewer-UACBypass
- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu
- https://github.com/nettitude/Invoke-PowerThIEf
- https://github.com/S3cur3Th1sSh1t/WinPwn
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein
date: 2018-04-07
modified: 2025-12-10
tags:
- attack.execution
- attack.t1059.001
logsource:
category: file_event
product: windows
detection:
selection_generic:
TargetFilename|endswith:
# Note: Please ensure alphabetical order when adding new entries
- '\Add-ConstrainedDelegationBackdoor.ps1'
- '\Add-Exfiltration.ps1'
- '\Add-Persistence.ps1'
- '\Add-RegBackdoor.ps1'
- '\Add-RemoteRegBackdoor.ps1'
- '\Add-ScrnSaveBackdoor.ps1'
- '\ADRecon.ps1'
- '\AzureADRecon.ps1'
- '\BadSuccessor.ps1'
- '\Check-VM.ps1'
- '\ConvertTo-ROT13.ps1'
- '\Copy-VSS.ps1'
- '\Create-MultipleSessions.ps1'
- '\DNS_TXT_Pwnage.ps1'
- '\dnscat2.ps1'
- '\Do-Exfiltration.ps1'
- '\DomainPasswordSpray.ps1'
- '\Download_Execute.ps1'
- '\Download-Execute-PS.ps1'
- '\Enable-DuplicateToken.ps1'
- '\Enabled-DuplicateToken.ps1'
- '\Execute-Command-MSSQL.ps1'
- '\Execute-DNSTXT-Code.ps1'
- '\Execute-OnTime.ps1'
- '\ExetoText.ps1'
- '\Exploit-Jboss.ps1'
- '\Find-AVSignature.ps1'
- '\Find-Fruit.ps1'
- '\Find-GPOLocation.ps1'
- '\Find-TrustedDocuments.ps1'
- '\FireBuster.ps1'
- '\FireListener.ps1'
- '\Get-ApplicationHost.ps1'
- '\Get-ChromeDump.ps1'
- '\Get-ClipboardContents.ps1'
- '\Get-ComputerDetail.ps1'
- '\Get-FoxDump.ps1'
- '\Get-GPPAutologon.ps1'
- '\Get-GPPPassword.ps1'
- '\Get-IndexedItem.ps1'
- '\Get-Keystrokes.ps1'
- '\Get-LSASecret.ps1'
- '\Get-MicrophoneAudio.ps1'
- '\Get-PassHashes.ps1'
- '\Get-PassHints.ps1'
- '\Get-RegAlwaysInstallElevated.ps1'
- '\Get-RegAutoLogon.ps1'
- '\Get-RickAstley.ps1'
- '\Get-Screenshot.ps1'
- '\Get-SecurityPackages.ps1'
- '\Get-ServiceFilePermission.ps1'
- '\Get-ServicePermission.ps1'
- '\Get-ServiceUnquoted.ps1'
- '\Get-SiteListPassword.ps1'
- '\Get-System.ps1'
- '\Get-TimedScreenshot.ps1'
- '\Get-UnattendedInstallFile.ps1'
- '\Get-Unconstrained.ps1'
- '\Get-USBKeystrokes.ps1'
- '\Get-VaultCredential.ps1'
- '\Get-VulnAutoRun.ps1'
- '\Get-VulnSchTask.ps1'
- '\Get-WebConfig.ps1'
- '\Get-WebCredentials.ps1'
- '\Get-WLAN-Keys.ps1'
- '\Gupt-Backdoor.ps1'
- '\HTTP-Backdoor.ps1'
- '\HTTP-Login.ps1'
- '\Install-ServiceBinary.ps1'
- '\Install-SSP.ps1'
- '\Invoke-ACLScanner.ps1'
- '\Invoke-ADSBackdoor.ps1'
- '\Invoke-AmsiBypass.ps1'
- '\Invoke-ARPScan.ps1'
- '\Invoke-BackdoorLNK.ps1'
- '\Invoke-BadPotato.ps1'
- '\Invoke-BetterSafetyKatz.ps1'
- '\Invoke-BruteForce.ps1'
- '\Invoke-BypassUAC.ps1'
- '\Invoke-Carbuncle.ps1'
- '\Invoke-Certify.ps1'
- '\Invoke-ConPtyShell.ps1'
- '\Invoke-CredentialInjection.ps1'
- '\Invoke-CredentialsPhish.ps1'
- '\Invoke-DAFT.ps1'
- '\Invoke-DCSync.ps1'
- '\Invoke-Decode.ps1'
- '\Invoke-DinvokeKatz.ps1'
- '\Invoke-DllInjection.ps1'
- '\Invoke-DNSExfiltrator.ps1'
- '\Invoke-DNSUpdate.ps1'
- '\Invoke-DowngradeAccount.ps1'
- '\Invoke-EgressCheck.ps1'
- '\Invoke-Encode.ps1'
- '\Invoke-EventViewer.ps1'
- '\Invoke-Eyewitness.ps1'
- '\Invoke-FakeLogonScreen.ps1'
- '\Invoke-Farmer.ps1'
- '\Invoke-Get-RBCD-Threaded.ps1'
- '\Invoke-Gopher.ps1'
- '\Invoke-Grouper2.ps1'
- '\Invoke-Grouper3.ps1'
- '\Invoke-HandleKatz.ps1'
- '\Invoke-Interceptor.ps1'
- '\Invoke-Internalmonologue.ps1'
- '\Invoke-Inveigh.ps1'
- '\Invoke-InveighRelay.ps1'
- '\Invoke-JSRatRegsvr.ps1'
- '\Invoke-JSRatRundll.ps1'
- '\Invoke-KrbRelay.ps1'
- '\Invoke-KrbRelayUp.ps1'
- '\Invoke-LdapSignCheck.ps1'
- '\Invoke-Lockless.ps1'
- '\Invoke-MalSCCM.ps1'
- '\Invoke-Mimikatz.ps1'
- '\Invoke-MimikatzWDigestDowngrade.ps1'
- '\Invoke-Mimikittenz.ps1'
- '\Invoke-MITM6.ps1'
- '\Invoke-NanoDump.ps1'
- '\Invoke-NetRipper.ps1'
- '\Invoke-NetworkRelay.ps1'
- '\Invoke-NinjaCopy.ps1'
- '\Invoke-OxidResolver.ps1'
- '\Invoke-P0wnedshell.ps1'
- '\Invoke-P0wnedshellx86.ps1'
- '\Invoke-Paranoia.ps1'
- '\Invoke-PortScan.ps1'
- '\Invoke-PoshRatHttp.ps1'
- '\Invoke-PoshRatHttps.ps1'
- '\Invoke-PostExfil.ps1'
- '\Invoke-PowerDump.ps1'
- '\Invoke-PowerDPAPI.ps1'
- '\Invoke-PowerShellIcmp.ps1'
- '\Invoke-PowerShellTCP.ps1'
- '\Invoke-PowerShellTcpOneLine.ps1'
- '\Invoke-PowerShellTcpOneLineBind.ps1'
- '\Invoke-PowerShellUdp.ps1'
- '\Invoke-PowerShellUdpOneLine.ps1'
- '\Invoke-PowerShellWMI.ps1'
- '\Invoke-PowerThIEf.ps1'
- '\Invoke-PPLDump.ps1'
- '\Invoke-Prasadhak.ps1'
- '\Invoke-PsExec.ps1'
- '\Invoke-PsGcat.ps1'
- '\Invoke-PsGcatAgent.ps1'
- '\Invoke-PSInject.ps1'
- '\Invoke-PsUaCme.ps1'
- '\Invoke-ReflectivePEInjection.ps1'
- '\Invoke-ReverseDNSLookup.ps1'
- '\Invoke-Rubeus.ps1'
- '\Invoke-RunAs.ps1'
- '\Invoke-SafetyKatz.ps1'
- '\Invoke-SauronEye.ps1'
- '\Invoke-SCShell.ps1'
- '\Invoke-Seatbelt.ps1'
- '\Invoke-ServiceAbuse.ps1'
- '\Invoke-SessionGopher.ps1'
- '\Invoke-ShellCode.ps1'
- '\Invoke-SMBScanner.ps1'
- '\Invoke-Snaffler.ps1'
- '\Invoke-Spoolsample.ps1'
- '\Invoke-SSHCommand.ps1'
- '\Invoke-SSIDExfil.ps1'
- '\Invoke-StandIn.ps1'
- '\Invoke-StickyNotesExtract.ps1'
- '\Invoke-Tater.ps1'
- '\Invoke-Thunderfox.ps1'
- '\Invoke-ThunderStruck.ps1'
- '\Invoke-TokenManipulation.ps1'
- '\Invoke-Tokenvator.ps1'
- '\Invoke-TotalExec.ps1'
- '\Invoke-UrbanBishop.ps1'
- '\Invoke-UserHunter.ps1'
- '\Invoke-VoiceTroll.ps1'
- '\Invoke-Whisker.ps1'
- '\Invoke-WinEnum.ps1'
- '\Invoke-winPEAS.ps1'
- '\Invoke-WireTap.ps1'
- '\Invoke-WmiCommand.ps1'
- '\Invoke-WScriptBypassUAC.ps1'
- '\Invoke-Zerologon.ps1'
- '\Keylogger.ps1'
- '\MailRaider.ps1'
- '\New-HoneyHash.ps1'
- '\OfficeMemScraper.ps1'
- '\Offline_Winpwn.ps1'
- '\Out-CHM.ps1'
- '\Out-DnsTxt.ps1'
- '\Out-Excel.ps1'
- '\Out-HTA.ps1'
- '\Out-Java.ps1'
- '\Out-JS.ps1'
- '\Out-Minidump.ps1'
- '\Out-RundllCommand.ps1'
- '\Out-SCF.ps1'
- '\Out-SCT.ps1'
- '\Out-Shortcut.ps1'
- '\Out-WebQuery.ps1'
- '\Out-Word.ps1'
- '\Parse_Keys.ps1'
- '\Port-Scan.ps1'
- '\PowerBreach.ps1'
- '\powercat.ps1'
- '\Powermad.ps1'
- '\PowerRunAsSystem.psm1'
- '\PowerSharpPack.ps1'
- '\PowerUp.ps1'
- '\PowerUpSQL.ps1'
- '\PowerView.ps1'
- '\PSAsyncShell.ps1'
- '\RemoteHashRetrieval.ps1'
- '\Remove-Persistence.ps1'
- '\Remove-PoshRat.ps1'
- '\Remove-Update.ps1'
- '\Run-EXEonRemote.ps1'
- '\Schtasks-Backdoor.ps1'
- '\Set-DCShadowPermissions.ps1'
- '\Set-MacAttribute.ps1'
- '\Set-RemotePSRemoting.ps1'
- '\Set-RemoteWMI.ps1'
- '\Set-Wallpaper.ps1'
- '\Show-TargetScreen.ps1'
- '\Speak.ps1'
- '\Start-CaptureServer.ps1'
- '\Start-WebcamRecorder.ps1'
- '\StringToBase64.ps1'
- '\TexttoExe.ps1'
- '\Veeam-Get-Creds.ps1'
- '\VolumeShadowCopyTools.ps1'
- '\WinPwn.ps1'
- '\WSUSpendu.ps1'
selection_invoke_sharp:
TargetFilename|contains: 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
TargetFilename|endswith: '.ps1'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
imFileEvent
| where (TargetFileName endswith "\\Add-ConstrainedDelegationBackdoor.ps1" or TargetFileName endswith "\\Add-Exfiltration.ps1" or TargetFileName endswith "\\Add-Persistence.ps1" or TargetFileName endswith "\\Add-RegBackdoor.ps1" or TargetFileName endswith "\\Add-RemoteRegBackdoor.ps1" or TargetFileName endswith "\\Add-ScrnSaveBackdoor.ps1" or TargetFileName endswith "\\ADRecon.ps1" or TargetFileName endswith "\\AzureADRecon.ps1" or TargetFileName endswith "\\BadSuccessor.ps1" or TargetFileName endswith "\\Check-VM.ps1" or TargetFileName endswith "\\ConvertTo-ROT13.ps1" or TargetFileName endswith "\\Copy-VSS.ps1" or TargetFileName endswith "\\Create-MultipleSessions.ps1" or TargetFileName endswith "\\DNS_TXT_Pwnage.ps1" or TargetFileName endswith "\\dnscat2.ps1" or TargetFileName endswith "\\Do-Exfiltration.ps1" or TargetFileName endswith "\\DomainPasswordSpray.ps1" or TargetFileName endswith "\\Download_Execute.ps1" or TargetFileName endswith "\\Download-Execute-PS.ps1" or TargetFileName endswith "\\Enable-DuplicateToken.ps1" or TargetFileName endswith "\\Enabled-DuplicateToken.ps1" or TargetFileName endswith "\\Execute-Command-MSSQL.ps1" or TargetFileName endswith "\\Execute-DNSTXT-Code.ps1" or TargetFileName endswith "\\Execute-OnTime.ps1" or TargetFileName endswith "\\ExetoText.ps1" or TargetFileName endswith "\\Exploit-Jboss.ps1" or TargetFileName endswith "\\Find-AVSignature.ps1" or TargetFileName endswith "\\Find-Fruit.ps1" or TargetFileName endswith "\\Find-GPOLocation.ps1" or TargetFileName endswith "\\Find-TrustedDocuments.ps1" or TargetFileName endswith "\\FireBuster.ps1" or TargetFileName endswith "\\FireListener.ps1" or TargetFileName endswith "\\Get-ApplicationHost.ps1" or TargetFileName endswith "\\Get-ChromeDump.ps1" or TargetFileName endswith "\\Get-ClipboardContents.ps1" or TargetFileName endswith "\\Get-ComputerDetail.ps1" or TargetFileName endswith "\\Get-FoxDump.ps1" or TargetFileName endswith "\\Get-GPPAutologon.ps1" or TargetFileName endswith "\\Get-GPPPassword.ps1" or TargetFileName endswith "\\Get-IndexedItem.ps1" or TargetFileName endswith "\\Get-Keystrokes.ps1" or TargetFileName endswith "\\Get-LSASecret.ps1" or TargetFileName endswith "\\Get-MicrophoneAudio.ps1" or TargetFileName endswith "\\Get-PassHashes.ps1" or TargetFileName endswith "\\Get-PassHints.ps1" or TargetFileName endswith "\\Get-RegAlwaysInstallElevated.ps1" or TargetFileName endswith "\\Get-RegAutoLogon.ps1" or TargetFileName endswith "\\Get-RickAstley.ps1" or TargetFileName endswith "\\Get-Screenshot.ps1" or TargetFileName endswith "\\Get-SecurityPackages.ps1" or TargetFileName endswith "\\Get-ServiceFilePermission.ps1" or TargetFileName endswith "\\Get-ServicePermission.ps1" or TargetFileName endswith "\\Get-ServiceUnquoted.ps1" or TargetFileName endswith "\\Get-SiteListPassword.ps1" or TargetFileName endswith "\\Get-System.ps1" or TargetFileName endswith "\\Get-TimedScreenshot.ps1" or TargetFileName endswith "\\Get-UnattendedInstallFile.ps1" or TargetFileName endswith "\\Get-Unconstrained.ps1" or TargetFileName endswith "\\Get-USBKeystrokes.ps1" or TargetFileName endswith "\\Get-VaultCredential.ps1" or TargetFileName endswith "\\Get-VulnAutoRun.ps1" or TargetFileName endswith "\\Get-VulnSchTask.ps1" or TargetFileName endswith "\\Get-WebConfig.ps1" or TargetFileName endswith "\\Get-WebCredentials.ps1" or TargetFileName endswith "\\Get-WLAN-Keys.ps1" or TargetFileName endswith "\\Gupt-Backdoor.ps1" or TargetFileName endswith "\\HTTP-Backdoor.ps1" or TargetFileName endswith "\\HTTP-Login.ps1" or TargetFileName endswith "\\Install-ServiceBinary.ps1" or TargetFileName endswith "\\Install-SSP.ps1" or TargetFileName endswith "\\Invoke-ACLScanner.ps1" or TargetFileName endswith "\\Invoke-ADSBackdoor.ps1" or TargetFileName endswith "\\Invoke-AmsiBypass.ps1" or TargetFileName endswith "\\Invoke-ARPScan.ps1" or TargetFileName endswith "\\Invoke-BackdoorLNK.ps1" or TargetFileName endswith "\\Invoke-BadPotato.ps1" or TargetFileName endswith "\\Invoke-BetterSafetyKatz.ps1" or TargetFileName endswith "\\Invoke-BruteForce.ps1" or TargetFileName endswith "\\Invoke-BypassUAC.ps1" or TargetFileName endswith "\\Invoke-Carbuncle.ps1" or TargetFileName endswith "\\Invoke-Certify.ps1" or TargetFileName endswith "\\Invoke-ConPtyShell.ps1" or TargetFileName endswith "\\Invoke-CredentialInjection.ps1" or TargetFileName endswith "\\Invoke-CredentialsPhish.ps1" or TargetFileName endswith "\\Invoke-DAFT.ps1" or TargetFileName endswith "\\Invoke-DCSync.ps1" or TargetFileName endswith "\\Invoke-Decode.ps1" or TargetFileName endswith "\\Invoke-DinvokeKatz.ps1" or TargetFileName endswith "\\Invoke-DllInjection.ps1" or TargetFileName endswith "\\Invoke-DNSExfiltrator.ps1" or TargetFileName endswith "\\Invoke-DNSUpdate.ps1" or TargetFileName endswith "\\Invoke-DowngradeAccount.ps1" or TargetFileName endswith "\\Invoke-EgressCheck.ps1" or TargetFileName endswith "\\Invoke-Encode.ps1" or TargetFileName endswith "\\Invoke-EventViewer.ps1" or TargetFileName endswith "\\Invoke-Eyewitness.ps1" or TargetFileName endswith "\\Invoke-FakeLogonScreen.ps1" or TargetFileName endswith "\\Invoke-Farmer.ps1" or TargetFileName endswith "\\Invoke-Get-RBCD-Threaded.ps1" or TargetFileName endswith "\\Invoke-Gopher.ps1" or TargetFileName endswith "\\Invoke-Grouper2.ps1" or TargetFileName endswith "\\Invoke-Grouper3.ps1" or TargetFileName endswith "\\Invoke-HandleKatz.ps1" or TargetFileName endswith "\\Invoke-Interceptor.ps1" or TargetFileName endswith "\\Invoke-Internalmonologue.ps1" or TargetFileName endswith "\\Invoke-Inveigh.ps1" or TargetFileName endswith "\\Invoke-InveighRelay.ps1" or TargetFileName endswith "\\Invoke-JSRatRegsvr.ps1" or TargetFileName endswith "\\Invoke-JSRatRundll.ps1" or TargetFileName endswith "\\Invoke-KrbRelay.ps1" or TargetFileName endswith "\\Invoke-KrbRelayUp.ps1" or TargetFileName endswith "\\Invoke-LdapSignCheck.ps1" or TargetFileName endswith "\\Invoke-Lockless.ps1" or TargetFileName endswith "\\Invoke-MalSCCM.ps1" or TargetFileName endswith "\\Invoke-Mimikatz.ps1" or TargetFileName endswith "\\Invoke-MimikatzWDigestDowngrade.ps1" or TargetFileName endswith "\\Invoke-Mimikittenz.ps1" or TargetFileName endswith "\\Invoke-MITM6.ps1" or TargetFileName endswith "\\Invoke-NanoDump.ps1" or TargetFileName endswith "\\Invoke-NetRipper.ps1" or TargetFileName endswith "\\Invoke-NetworkRelay.ps1" or TargetFileName endswith "\\Invoke-NinjaCopy.ps1" or TargetFileName endswith "\\Invoke-OxidResolver.ps1" or TargetFileName endswith "\\Invoke-P0wnedshell.ps1" or TargetFileName endswith "\\Invoke-P0wnedshellx86.ps1" or TargetFileName endswith "\\Invoke-Paranoia.ps1" or TargetFileName endswith "\\Invoke-PortScan.ps1" or TargetFileName endswith "\\Invoke-PoshRatHttp.ps1" or TargetFileName endswith "\\Invoke-PoshRatHttps.ps1" or TargetFileName endswith "\\Invoke-PostExfil.ps1" or TargetFileName endswith "\\Invoke-PowerDump.ps1" or TargetFileName endswith "\\Invoke-PowerDPAPI.ps1" or TargetFileName endswith "\\Invoke-PowerShellIcmp.ps1" or TargetFileName endswith "\\Invoke-PowerShellTCP.ps1" or TargetFileName endswith "\\Invoke-PowerShellTcpOneLine.ps1" or TargetFileName endswith "\\Invoke-PowerShellTcpOneLineBind.ps1" or TargetFileName endswith "\\Invoke-PowerShellUdp.ps1" or TargetFileName endswith "\\Invoke-PowerShellUdpOneLine.ps1" or TargetFileName endswith "\\Invoke-PowerShellWMI.ps1" or TargetFileName endswith "\\Invoke-PowerThIEf.ps1" or TargetFileName endswith "\\Invoke-PPLDump.ps1" or TargetFileName endswith "\\Invoke-Prasadhak.ps1" or TargetFileName endswith "\\Invoke-PsExec.ps1" or TargetFileName endswith "\\Invoke-PsGcat.ps1" or TargetFileName endswith "\\Invoke-PsGcatAgent.ps1" or TargetFileName endswith "\\Invoke-PSInject.ps1" or TargetFileName endswith "\\Invoke-PsUaCme.ps1" or TargetFileName endswith "\\Invoke-ReflectivePEInjection.ps1" or TargetFileName endswith "\\Invoke-ReverseDNSLookup.ps1" or TargetFileName endswith "\\Invoke-Rubeus.ps1" or TargetFileName endswith "\\Invoke-RunAs.ps1" or TargetFileName endswith "\\Invoke-SafetyKatz.ps1" or TargetFileName endswith "\\Invoke-SauronEye.ps1" or TargetFileName endswith "\\Invoke-SCShell.ps1" or TargetFileName endswith "\\Invoke-Seatbelt.ps1" or TargetFileName endswith "\\Invoke-ServiceAbuse.ps1" or TargetFileName endswith "\\Invoke-SessionGopher.ps1" or TargetFileName endswith "\\Invoke-ShellCode.ps1" or TargetFileName endswith "\\Invoke-SMBScanner.ps1" or TargetFileName endswith "\\Invoke-Snaffler.ps1" or TargetFileName endswith "\\Invoke-Spoolsample.ps1" or TargetFileName endswith "\\Invoke-SSHCommand.ps1" or TargetFileName endswith "\\Invoke-SSIDExfil.ps1" or TargetFileName endswith "\\Invoke-StandIn.ps1" or TargetFileName endswith "\\Invoke-StickyNotesExtract.ps1" or TargetFileName endswith "\\Invoke-Tater.ps1" or TargetFileName endswith "\\Invoke-Thunderfox.ps1" or TargetFileName endswith "\\Invoke-ThunderStruck.ps1" or TargetFileName endswith "\\Invoke-TokenManipulation.ps1" or TargetFileName endswith "\\Invoke-Tokenvator.ps1" or TargetFileName endswith "\\Invoke-TotalExec.ps1" or TargetFileName endswith "\\Invoke-UrbanBishop.ps1" or TargetFileName endswith "\\Invoke-UserHunter.ps1" or TargetFileName endswith "\\Invoke-VoiceTroll.ps1" or TargetFileName endswith "\\Invoke-Whisker.ps1" or TargetFileName endswith "\\Invoke-WinEnum.ps1" or TargetFileName endswith "\\Invoke-winPEAS.ps1" or TargetFileName endswith "\\Invoke-WireTap.ps1" or TargetFileName endswith "\\Invoke-WmiCommand.ps1" or TargetFileName endswith "\\Invoke-WScriptBypassUAC.ps1" or TargetFileName endswith "\\Invoke-Zerologon.ps1" or TargetFileName endswith "\\Keylogger.ps1" or TargetFileName endswith "\\MailRaider.ps1" or TargetFileName endswith "\\New-HoneyHash.ps1" or TargetFileName endswith "\\OfficeMemScraper.ps1" or TargetFileName endswith "\\Offline_Winpwn.ps1" or TargetFileName endswith "\\Out-CHM.ps1" or TargetFileName endswith "\\Out-DnsTxt.ps1" or TargetFileName endswith "\\Out-Excel.ps1" or TargetFileName endswith "\\Out-HTA.ps1" or TargetFileName endswith "\\Out-Java.ps1" or TargetFileName endswith "\\Out-JS.ps1" or TargetFileName endswith "\\Out-Minidump.ps1" or TargetFileName endswith "\\Out-RundllCommand.ps1" or TargetFileName endswith "\\Out-SCF.ps1" or TargetFileName endswith "\\Out-SCT.ps1" or TargetFileName endswith "\\Out-Shortcut.ps1" or TargetFileName endswith "\\Out-WebQuery.ps1" or TargetFileName endswith "\\Out-Word.ps1" or TargetFileName endswith "\\Parse_Keys.ps1" or TargetFileName endswith "\\Port-Scan.ps1" or TargetFileName endswith "\\PowerBreach.ps1" or TargetFileName endswith "\\powercat.ps1" or TargetFileName endswith "\\Powermad.ps1" or TargetFileName endswith "\\PowerRunAsSystem.psm1" or TargetFileName endswith "\\PowerSharpPack.ps1" or TargetFileName endswith "\\PowerUp.ps1" or TargetFileName endswith "\\PowerUpSQL.ps1" or TargetFileName endswith "\\PowerView.ps1" or TargetFileName endswith "\\PSAsyncShell.ps1" or TargetFileName endswith "\\RemoteHashRetrieval.ps1" or TargetFileName endswith "\\Remove-Persistence.ps1" or TargetFileName endswith "\\Remove-PoshRat.ps1" or TargetFileName endswith "\\Remove-Update.ps1" or TargetFileName endswith "\\Run-EXEonRemote.ps1" or TargetFileName endswith "\\Schtasks-Backdoor.ps1" or TargetFileName endswith "\\Set-DCShadowPermissions.ps1" or TargetFileName endswith "\\Set-MacAttribute.ps1" or TargetFileName endswith "\\Set-RemotePSRemoting.ps1" or TargetFileName endswith "\\Set-RemoteWMI.ps1" or TargetFileName endswith "\\Set-Wallpaper.ps1" or TargetFileName endswith "\\Show-TargetScreen.ps1" or TargetFileName endswith "\\Speak.ps1" or TargetFileName endswith "\\Start-CaptureServer.ps1" or TargetFileName endswith "\\Start-WebcamRecorder.ps1" or TargetFileName endswith "\\StringToBase64.ps1" or TargetFileName endswith "\\TexttoExe.ps1" or TargetFileName endswith "\\Veeam-Get-Creds.ps1" or TargetFileName endswith "\\VolumeShadowCopyTools.ps1" or TargetFileName endswith "\\WinPwn.ps1" or TargetFileName endswith "\\WSUSpendu.ps1") or (TargetFileName contains "Invoke-Sharp" and TargetFileName endswith ".ps1")Scenario: Scheduled Job for System Maintenance
Description: A legitimate scheduled job runs a PowerShell script to perform system updates or maintenance tasks.
Filter/Exclusion: process.parent_process == "schtasks.exe" or process.command_line contains "schtasks"
Scenario: Admin Task – PowerShell Remoting Configuration
Description: An administrator uses PowerShell to configure remote management settings, which may involve script execution.
Filter/Exclusion: process.user == "admin_user" or process.command_line contains "Enable-PSRemoting"
Scenario: PowerShell One-Liner for Log Analysis
Description: A security analyst runs a one-liner PowerShell script to analyze system logs or extract specific data.
Filter/Exclusion: process.command_line contains "Get-EventLog" or process.command_line contains "Select-String"
Scenario: Deployment of Known Secure PowerShell Scripts
Description: A DevOps team deploys a known secure PowerShell script for application deployment or configuration.
Filter/Exclusion: file.name contains "Deploy-App.ps1" or file.sha256 == "known_secure_script_hash"
Scenario: PowerShell Script for Patch Management
Description: A patch management tool uses PowerShell to apply updates or patches to endpoints.
Filter/Exclusion: process.command_line contains "Install-WindowsUpdate" or process.command_line contains "Update-Package"