Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Detect and alert on nefarious PowerShell command line activity
# PowerShell Audit Logging for LogRhythm SIEM - 2015
# For detecting dangerous PowerShell Commands/Functions
Log Source Type:
MS Event Log for Win7/Win8/2008/2012 - PowerShell
Add this file to your PowerShell directory to enable verbose command line audit logging
profile.ps1
$LogCommandHealthEvent = $true
$LogCommandLifeCycleEvent = $true
RegEx : Parse PowerShell Commands
.*?eventid.*?>(?<vmid>\d+)<.*?<level>(?<severity>.*?)</level>.*?Computer>(?<dname>.*?)</computer>.*?Command\s(?<object>.*?)\s(.*?\n)+?\s+CommandLine=(?<command>.*?)</EventData>
List : Dangerous Commands
Set-ExecutionPolicy
Mimikatz
EncodedCommand
Payload
Find-AVSignature
DllInjection
ReflectivePEInjection
Invoke-Shellcode
Invoke--Shellcode
Invoke-ShellcodeMSIL
Get-GPPPassword
Get-Keystrokes
Get-TimedScreenshot
Get-VaultCredential
Invoke-CredentialInjection
Invoke-NinjaCopy
Invoke-TokenManipulation
Out-Minidump
Set-MasterBootRecord
New-ElevatedPersistenceOption
Invoke-CallbackIEX
Invoke-PSInject
Invoke-DllEncode
Get-ServiceUnquoted
Get-ServiceEXEPerms
Get-ServicePerms
Invoke-ServiceUserAdd
Invoke-ServiceCMD
Write-UserAddServiceBinary
Write-CMDServiceBinary
Write-UserAddMSI
Write-ServiceEXE
Write-ServiceEXECMD
Restore-ServiceEXE
Invoke-ServiceStart
Invoke-ServiceStop
Invoke-ServiceEnable
Invoke-ServiceDisable
Invoke-FindDLLHijack
Invoke-FindPathHijack
Get-RegAlwaysInstallElevated
Get-RegAutoLogon
Get-UnattendedInstallFiles
Get-Webconfig
Get-ApplicationHost
Invoke-AllChecks
Invoke-MassCommand
Invoke-MassMimikatz
Invoke-MassSearch
Invoke-MassTemplate
Invoke-MassTokens
HTTP-Backdoor
Add-ScrnSaveBackdoor
Gupt-Backdoor
Invoke-ADSBackdoor
Execute-OnTime
DNS_TXT_Pwnage
Out-Word
Out-Excel
Out-Java
Out-Shortcut
Out-CHM
Out-HTA
Enable-DuplicateToken
Remove-Update
Execute-DNSTXT-Code
Download-Execute-PS
Execute-Command-MSSQL
Download_Execute
Get-PassHashes
Invoke-CredentialsPhish
Get-LsaSecret
Get-Information
Invoke-MimikatzWDigestDowngrade
Copy-VSS
Check-VM
Invoke-NetworkRelay
Create-MultipleSessions
Run-EXEonRemote
Invoke-BruteForce
Port-Scan
Invoke-PowerShellIcmp
Invoke-PowerShellUdp
Invoke-PsGcatAgent
Invoke-PoshRatHttps
Invoke-PowerShellTcp
Invoke-PoshRatHttp
Invoke-PowerShellWmi
Invoke-PSGcat
Remove-PoshRat
TexttoEXE
Invoke-Encode
Invoke-Decode
Base64ToString
StringtoBase64
Do-Exfiltration
Parse_Keys
Add-Exfiltration
Add-Persistence
Remove-Persistence
Invoke-CreateCertificate
powercat
Find-PSServiceAccounts
Get-PSADForestKRBTGTInfo
Discover-PSMSSQLServers
Discover-PSMSExchangeServers
Get-PSADForestInfo
Get-KerberosPolicy
Discover-PSInterestingServices
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.