Malicious PowerShell Scripts - PoshModule

Status: test
Severity: high
Log source: product windows, category ps_module
Author: frack113, Nasreddine Bencherchali (Nextron Systems)
Source: github.com/SigmaHQ/sigma

Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059.001` Command and Scripting Interpreter: PowerShell

Event coverage

Provider	Event	Title
PowerShell	Event ID 4103	Payload Context: ContextInfo User Data: UserData.

Rule body yaml

title: Malicious PowerShell Scripts - PoshModule
id: 41025fd7-0466-4650-a813-574aaacbe7f4
related:
    - id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
      type: similar
    - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
      type: obsolete
status: test
description: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
references:
    - https://github.com/PowerShellMafia/PowerSploit
    - https://github.com/NetSPI/PowerUpSQL
    - https://github.com/CsEnox/EventViewer-UACBypass
    - https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu
    - https://github.com/nettitude/Invoke-PowerThIEf
    - https://github.com/S3cur3Th1sSh1t/WinPwn
    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
    - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
    - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
    - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
    - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
    - https://github.com/HarmJ0y/DAMP
    - https://github.com/samratashok/nishang
    - https://github.com/DarkCoderSc/PowerRunAsSystem/
    - https://github.com/besimorhino/powercat
    - https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
    - https://github.com/The-Viper-One/Invoke-PowerDPAPI/
    - https://github.com/Arno0x/DNSExfiltrator/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-23
modified: 2025-12-10
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_generic:
        ContextInfo|contains:
            - 'Add-ConstrainedDelegationBackdoor.ps1'
            - 'Add-Exfiltration.ps1'
            - 'Add-Persistence.ps1'
            - 'Add-RegBackdoor.ps1'
            - 'Add-RemoteRegBackdoor.ps1'
            - 'Add-ScrnSaveBackdoor.ps1'
            - 'BadSuccessor.ps1'
            - 'Check-VM.ps1'
            - 'ConvertTo-ROT13.ps1'
            - 'Copy-VSS.ps1'
            - 'Create-MultipleSessions.ps1'
            - 'DNS_TXT_Pwnage.ps1'
            - 'dnscat2.ps1'
            - 'Do-Exfiltration.ps1'
            - 'DomainPasswordSpray.ps1'
            - 'Download_Execute.ps1'
            - 'Download-Execute-PS.ps1'
            - 'Enabled-DuplicateToken.ps1'
            - 'Enable-DuplicateToken.ps1'
            - 'Execute-Command-MSSQL.ps1'
            - 'Execute-DNSTXT-Code.ps1'
            - 'Execute-OnTime.ps1'
            - 'ExetoText.ps1'
            - 'Exploit-Jboss.ps1'
            - 'Find-AVSignature.ps1'
            - 'Find-Fruit.ps1'
            - 'Find-GPOLocation.ps1'
            - 'Find-TrustedDocuments.ps1'
            - 'FireBuster.ps1'
            - 'FireListener.ps1'
            - 'Get-ApplicationHost.ps1'
            - 'Get-ChromeDump.ps1'
            - 'Get-ClipboardContents.ps1'
            - 'Get-ComputerDetail.ps1'
            - 'Get-FoxDump.ps1'
            - 'Get-GPPAutologon.ps1'
            - 'Get-GPPPassword.ps1'
            - 'Get-IndexedItem.ps1'
            - 'Get-Keystrokes.ps1'
            - 'Get-LSASecret.ps1'
            - 'Get-MicrophoneAudio.ps1'
            - 'Get-PassHashes.ps1'
            - 'Get-PassHints.ps1'
            - 'Get-RegAlwaysInstallElevated.ps1'
            - 'Get-RegAutoLogon.ps1'
            - 'Get-RickAstley.ps1'
            - 'Get-Screenshot.ps1'
            - 'Get-SecurityPackages.ps1'
            - 'Get-ServiceFilePermission.ps1'
            - 'Get-ServicePermission.ps1'
            - 'Get-ServiceUnquoted.ps1'
            - 'Get-SiteListPassword.ps1'
            - 'Get-System.ps1'
            - 'Get-TimedScreenshot.ps1'
            - 'Get-UnattendedInstallFile.ps1'
            - 'Get-Unconstrained.ps1'
            - 'Get-USBKeystrokes.ps1'
            - 'Get-VaultCredential.ps1'
            - 'Get-VulnAutoRun.ps1'
            - 'Get-VulnSchTask.ps1'
            - 'Get-WebConfig.ps1'
            - 'Get-WebCredentials.ps1'
            - 'Get-WLAN-Keys.ps1'
            - 'Gupt-Backdoor.ps1'
            - 'HTTP-Backdoor.ps1'
            - 'HTTP-Login.ps1'
            - 'Install-ServiceBinary.ps1'
            - 'Install-SSP.ps1'
            - 'Invoke-ACLScanner.ps1'
            - 'Invoke-ADSBackdoor.ps1'
            - 'Invoke-AmsiBypass.ps1'
            - 'Invoke-ARPScan.ps1'
            - 'Invoke-BackdoorLNK.ps1'
            - 'Invoke-BadPotato.ps1'
            - 'Invoke-BetterSafetyKatz.ps1'
            - 'Invoke-BruteForce.ps1'
            - 'Invoke-BypassUAC.ps1'
            - 'Invoke-Carbuncle.ps1'
            - 'Invoke-Certify.ps1'
            - 'Invoke-ConPtyShell.ps1'
            - 'Invoke-CredentialInjection.ps1'
            - 'Invoke-CredentialsPhish.ps1'
            - 'Invoke-DAFT.ps1'
            - 'Invoke-DCSync.ps1'
            - 'Invoke-Decode.ps1'
            - 'Invoke-DinvokeKatz.ps1'
            - 'Invoke-DllInjection.ps1'
            - 'Invoke-DNSExfiltrator.ps1'
            - 'Invoke-DowngradeAccount.ps1'
            - 'Invoke-EgressCheck.ps1'
            - 'Invoke-Encode.ps1'
            - 'Invoke-EventViewer.ps1'
            - 'Invoke-Eyewitness.ps1'
            - 'Invoke-FakeLogonScreen.ps1'
            - 'Invoke-Farmer.ps1'
            - 'Invoke-Get-RBCD-Threaded.ps1'
            - 'Invoke-Gopher.ps1'
            - 'Invoke-Grouper2.ps1'
            - 'Invoke-Grouper3.ps1'
            - 'Invoke-HandleKatz.ps1'
            - 'Invoke-Interceptor.ps1'
            - 'Invoke-Internalmonologue.ps1'
            - 'Invoke-Inveigh.ps1'
            - 'Invoke-InveighRelay.ps1'
            - 'Invoke-JSRatRegsvr.ps1'
            - 'Invoke-JSRatRundll.ps1'
            - 'Invoke-KrbRelay.ps1'
            - 'Invoke-KrbRelayUp.ps1'
            - 'Invoke-LdapSignCheck.ps1'
            - 'Invoke-Lockless.ps1'
            - 'Invoke-MalSCCM.ps1'
            - 'Invoke-Mimikatz.ps1'
            - 'Invoke-MimikatzWDigestDowngrade.ps1'
            - 'Invoke-Mimikittenz.ps1'
            - 'Invoke-MITM6.ps1'
            - 'Invoke-NanoDump.ps1'
            - 'Invoke-NetRipper.ps1'
            - 'Invoke-NetworkRelay.ps1'
            - 'Invoke-NinjaCopy.ps1'
            - 'Invoke-OxidResolver.ps1'
            - 'Invoke-P0wnedshell.ps1'
            - 'Invoke-P0wnedshellx86.ps1'
            - 'Invoke-Paranoia.ps1'
            - 'Invoke-PortScan.ps1'
            - 'Invoke-PoshRatHttp.ps1'
            - 'Invoke-PoshRatHttps.ps1'
            - 'Invoke-PostExfil.ps1'
            - 'Invoke-PowerDump.ps1'
            - 'Invoke-PowerDPAPI.ps1'
            - 'Invoke-PowerShellIcmp.ps1'
            - 'Invoke-PowerShellTCP.ps1'
            - 'Invoke-PowerShellTcpOneLine.ps1'
            - 'Invoke-PowerShellTcpOneLineBind.ps1'
            - 'Invoke-PowerShellUdp.ps1'
            - 'Invoke-PowerShellUdpOneLine.ps1'
            - 'Invoke-PowerShellWMI.ps1'
            - 'Invoke-PowerThIEf.ps1'
            - 'Invoke-PPLDump.ps1'
            - 'Invoke-Prasadhak.ps1'
            - 'Invoke-PsExec.ps1'
            - 'Invoke-PsGcat.ps1'
            - 'Invoke-PsGcatAgent.ps1'
            - 'Invoke-PSInject.ps1'
            - 'Invoke-PsUaCme.ps1'
            - 'Invoke-ReflectivePEInjection.ps1'
            - 'Invoke-ReverseDNSLookup.ps1'
            - 'Invoke-Rubeus.ps1'
            - 'Invoke-RunAs.ps1'
            - 'Invoke-SafetyKatz.ps1'
            - 'Invoke-SauronEye.ps1'
            - 'Invoke-SCShell.ps1'
            - 'Invoke-Seatbelt.ps1'
            - 'Invoke-ServiceAbuse.ps1'
            - 'Invoke-SessionGopher.ps1'
            - 'Invoke-ShellCode.ps1'
            - 'Invoke-SMBScanner.ps1'
            - 'Invoke-Snaffler.ps1'
            - 'Invoke-Spoolsample.ps1'
            - 'Invoke-SSHCommand.ps1'
            - 'Invoke-SSIDExfil.ps1'
            - 'Invoke-StandIn.ps1'
            - 'Invoke-StickyNotesExtract.ps1'
            - 'Invoke-Tater.ps1'
            - 'Invoke-Thunderfox.ps1'
            - 'Invoke-ThunderStruck.ps1'
            - 'Invoke-TokenManipulation.ps1'
            - 'Invoke-Tokenvator.ps1'
            - 'Invoke-TotalExec.ps1'
            - 'Invoke-UrbanBishop.ps1'
            - 'Invoke-UserHunter.ps1'
            - 'Invoke-VoiceTroll.ps1'
            - 'Invoke-Whisker.ps1'
            - 'Invoke-WinEnum.ps1'
            - 'Invoke-winPEAS.ps1'
            - 'Invoke-WireTap.ps1'
            - 'Invoke-WmiCommand.ps1'
            - 'Invoke-WScriptBypassUAC.ps1'
            - 'Invoke-Zerologon.ps1'
            - 'Keylogger.ps1'
            - 'MailRaider.ps1'
            - 'New-HoneyHash.ps1'
            - 'OfficeMemScraper.ps1'
            - 'Offline_Winpwn.ps1'
            - 'Out-CHM.ps1'
            - 'Out-DnsTxt.ps1'
            - 'Out-Excel.ps1'
            - 'Out-HTA.ps1'
            - 'Out-Java.ps1'
            - 'Out-JS.ps1'
            - 'Out-Minidump.ps1'
            - 'Out-RundllCommand.ps1'
            - 'Out-SCF.ps1'
            - 'Out-SCT.ps1'
            - 'Out-Shortcut.ps1'
            - 'Out-WebQuery.ps1'
            - 'Out-Word.ps1'
            - 'Parse_Keys.ps1'
            - 'Port-Scan.ps1'
            - 'PowerBreach.ps1'
            - 'powercat.ps1'
            - 'PowerRunAsSystem.psm1'
            - 'PowerSharpPack.ps1'
            - 'PowerUp.ps1'
            - 'PowerUpSQL.ps1'
            - 'PowerView.ps1'
            - 'PSAsyncShell.ps1'
            - 'RemoteHashRetrieval.ps1'
            - 'Remove-Persistence.ps1'
            - 'Remove-PoshRat.ps1'
            - 'Remove-Update.ps1'
            - 'Run-EXEonRemote.ps1'
            - 'Schtasks-Backdoor.ps1'
            - 'Set-DCShadowPermissions.ps1'
            - 'Set-MacAttribute.ps1'
            - 'Set-RemotePSRemoting.ps1'
            - 'Set-RemoteWMI.ps1'
            - 'Set-Wallpaper.ps1'
            - 'Show-TargetScreen.ps1'
            - 'Speak.ps1'
            - 'Start-CaptureServer.ps1'
            - 'Start-WebcamRecorder.ps1'
            - 'StringToBase64.ps1'
            - 'TexttoExe.ps1'
            - 'Veeam-Get-Creds.ps1'
            - 'VolumeShadowCopyTools.ps1'
            - 'WinPwn.ps1'
            - 'WSUSpendu.ps1'
    selection_invoke_sharp:
        ContextInfo|contains|all:
            - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
            - '.ps1'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

Stages and Predicates

Stage 0: `condition`

1 of selection_*

Stage 1: `selection_generic`

selection_generic:
    ContextInfo|contains:
        - 'Add-ConstrainedDelegationBackdoor.ps1'
        - 'Add-Exfiltration.ps1'
        - 'Add-Persistence.ps1'
        - 'Add-RegBackdoor.ps1'
        - 'Add-RemoteRegBackdoor.ps1'
        - 'Add-ScrnSaveBackdoor.ps1'
        - 'BadSuccessor.ps1'
        - 'Check-VM.ps1'
        - 'ConvertTo-ROT13.ps1'
        - 'Copy-VSS.ps1'
        - 'Create-MultipleSessions.ps1'
        - 'DNS_TXT_Pwnage.ps1'
        - 'dnscat2.ps1'
        - 'Do-Exfiltration.ps1'
        - 'DomainPasswordSpray.ps1'
        - 'Download_Execute.ps1'
        - 'Download-Execute-PS.ps1'
        - 'Enabled-DuplicateToken.ps1'
        - 'Enable-DuplicateToken.ps1'
        - 'Execute-Command-MSSQL.ps1'
        - 'Execute-DNSTXT-Code.ps1'
        - 'Execute-OnTime.ps1'
        - 'ExetoText.ps1'
        - 'Exploit-Jboss.ps1'
        - 'Find-AVSignature.ps1'
        - 'Find-Fruit.ps1'
        - 'Find-GPOLocation.ps1'
        - 'Find-TrustedDocuments.ps1'
        - 'FireBuster.ps1'
        - 'FireListener.ps1'
        - 'Get-ApplicationHost.ps1'
        - 'Get-ChromeDump.ps1'
        - 'Get-ClipboardContents.ps1'
        - 'Get-ComputerDetail.ps1'
        - 'Get-FoxDump.ps1'
        - 'Get-GPPAutologon.ps1'
        - 'Get-GPPPassword.ps1'
        - 'Get-IndexedItem.ps1'
        - 'Get-Keystrokes.ps1'
        - 'Get-LSASecret.ps1'
        - 'Get-MicrophoneAudio.ps1'
        - 'Get-PassHashes.ps1'
        - 'Get-PassHints.ps1'
        - 'Get-RegAlwaysInstallElevated.ps1'
        - 'Get-RegAutoLogon.ps1'
        - 'Get-RickAstley.ps1'
        - 'Get-Screenshot.ps1'
        - 'Get-SecurityPackages.ps1'
        - 'Get-ServiceFilePermission.ps1'
        - 'Get-ServicePermission.ps1'
        - 'Get-ServiceUnquoted.ps1'
        - 'Get-SiteListPassword.ps1'
        - 'Get-System.ps1'
        - 'Get-TimedScreenshot.ps1'
        - 'Get-UnattendedInstallFile.ps1'
        - 'Get-Unconstrained.ps1'
        - 'Get-USBKeystrokes.ps1'
        - 'Get-VaultCredential.ps1'
        - 'Get-VulnAutoRun.ps1'
        - 'Get-VulnSchTask.ps1'
        - 'Get-WebConfig.ps1'
        - 'Get-WebCredentials.ps1'
        - 'Get-WLAN-Keys.ps1'
        - 'Gupt-Backdoor.ps1'
        - 'HTTP-Backdoor.ps1'
        - 'HTTP-Login.ps1'
        - 'Install-ServiceBinary.ps1'
        - 'Install-SSP.ps1'
        - 'Invoke-ACLScanner.ps1'
        - 'Invoke-ADSBackdoor.ps1'
        - 'Invoke-AmsiBypass.ps1'
        - 'Invoke-ARPScan.ps1'
        - 'Invoke-BackdoorLNK.ps1'
        - 'Invoke-BadPotato.ps1'
        - 'Invoke-BetterSafetyKatz.ps1'
        - 'Invoke-BruteForce.ps1'
        - 'Invoke-BypassUAC.ps1'
        - 'Invoke-Carbuncle.ps1'
        - 'Invoke-Certify.ps1'
        - 'Invoke-ConPtyShell.ps1'
        - 'Invoke-CredentialInjection.ps1'
        - 'Invoke-CredentialsPhish.ps1'
        - 'Invoke-DAFT.ps1'
        - 'Invoke-DCSync.ps1'
        - 'Invoke-Decode.ps1'
        - 'Invoke-DinvokeKatz.ps1'
        - 'Invoke-DllInjection.ps1'
        - 'Invoke-DNSExfiltrator.ps1'
        - 'Invoke-DowngradeAccount.ps1'
        - 'Invoke-EgressCheck.ps1'
        - 'Invoke-Encode.ps1'
        - 'Invoke-EventViewer.ps1'
        - 'Invoke-Eyewitness.ps1'
        - 'Invoke-FakeLogonScreen.ps1'
        - 'Invoke-Farmer.ps1'
        - 'Invoke-Get-RBCD-Threaded.ps1'
        - 'Invoke-Gopher.ps1'
        - 'Invoke-Grouper2.ps1'
        - 'Invoke-Grouper3.ps1'
        - 'Invoke-HandleKatz.ps1'
        - 'Invoke-Interceptor.ps1'
        - 'Invoke-Internalmonologue.ps1'
        - 'Invoke-Inveigh.ps1'
        - 'Invoke-InveighRelay.ps1'
        - 'Invoke-JSRatRegsvr.ps1'
        - 'Invoke-JSRatRundll.ps1'
        - 'Invoke-KrbRelay.ps1'
        - 'Invoke-KrbRelayUp.ps1'
        - 'Invoke-LdapSignCheck.ps1'
        - 'Invoke-Lockless.ps1'
        - 'Invoke-MalSCCM.ps1'
        - 'Invoke-Mimikatz.ps1'
        - 'Invoke-MimikatzWDigestDowngrade.ps1'
        - 'Invoke-Mimikittenz.ps1'
        - 'Invoke-MITM6.ps1'
        - 'Invoke-NanoDump.ps1'
        - 'Invoke-NetRipper.ps1'
        - 'Invoke-NetworkRelay.ps1'
        - 'Invoke-NinjaCopy.ps1'
        - 'Invoke-OxidResolver.ps1'
        - 'Invoke-P0wnedshell.ps1'
        - 'Invoke-P0wnedshellx86.ps1'
        - 'Invoke-Paranoia.ps1'
        - 'Invoke-PortScan.ps1'
        - 'Invoke-PoshRatHttp.ps1'
        - 'Invoke-PoshRatHttps.ps1'
        - 'Invoke-PostExfil.ps1'
        - 'Invoke-PowerDump.ps1'
        - 'Invoke-PowerDPAPI.ps1'
        - 'Invoke-PowerShellIcmp.ps1'
        - 'Invoke-PowerShellTCP.ps1'
        - 'Invoke-PowerShellTcpOneLine.ps1'
        - 'Invoke-PowerShellTcpOneLineBind.ps1'
        - 'Invoke-PowerShellUdp.ps1'
        - 'Invoke-PowerShellUdpOneLine.ps1'
        - 'Invoke-PowerShellWMI.ps1'
        - 'Invoke-PowerThIEf.ps1'
        - 'Invoke-PPLDump.ps1'
        - 'Invoke-Prasadhak.ps1'
        - 'Invoke-PsExec.ps1'
        - 'Invoke-PsGcat.ps1'
        - 'Invoke-PsGcatAgent.ps1'
        - 'Invoke-PSInject.ps1'
        - 'Invoke-PsUaCme.ps1'
        - 'Invoke-ReflectivePEInjection.ps1'
        - 'Invoke-ReverseDNSLookup.ps1'
        - 'Invoke-Rubeus.ps1'
        - 'Invoke-RunAs.ps1'
        - 'Invoke-SafetyKatz.ps1'
        - 'Invoke-SauronEye.ps1'
        - 'Invoke-SCShell.ps1'
        - 'Invoke-Seatbelt.ps1'
        - 'Invoke-ServiceAbuse.ps1'
        - 'Invoke-SessionGopher.ps1'
        - 'Invoke-ShellCode.ps1'
        - 'Invoke-SMBScanner.ps1'
        - 'Invoke-Snaffler.ps1'
        - 'Invoke-Spoolsample.ps1'
        - 'Invoke-SSHCommand.ps1'
        - 'Invoke-SSIDExfil.ps1'
        - 'Invoke-StandIn.ps1'
        - 'Invoke-StickyNotesExtract.ps1'
        - 'Invoke-Tater.ps1'
        - 'Invoke-Thunderfox.ps1'
        - 'Invoke-ThunderStruck.ps1'
        - 'Invoke-TokenManipulation.ps1'
        - 'Invoke-Tokenvator.ps1'
        - 'Invoke-TotalExec.ps1'
        - 'Invoke-UrbanBishop.ps1'
        - 'Invoke-UserHunter.ps1'
        - 'Invoke-VoiceTroll.ps1'
        - 'Invoke-Whisker.ps1'
        - 'Invoke-WinEnum.ps1'
        - 'Invoke-winPEAS.ps1'
        - 'Invoke-WireTap.ps1'
        - 'Invoke-WmiCommand.ps1'
        - 'Invoke-WScriptBypassUAC.ps1'
        - 'Invoke-Zerologon.ps1'
        - 'Keylogger.ps1'
        - 'MailRaider.ps1'
        - 'New-HoneyHash.ps1'
        - 'OfficeMemScraper.ps1'
        - 'Offline_Winpwn.ps1'
        - 'Out-CHM.ps1'
        - 'Out-DnsTxt.ps1'
        - 'Out-Excel.ps1'
        - 'Out-HTA.ps1'
        - 'Out-Java.ps1'
        - 'Out-JS.ps1'
        - 'Out-Minidump.ps1'
        - 'Out-RundllCommand.ps1'
        - 'Out-SCF.ps1'
        - 'Out-SCT.ps1'
        - 'Out-Shortcut.ps1'
        - 'Out-WebQuery.ps1'
        - 'Out-Word.ps1'
        - 'Parse_Keys.ps1'
        - 'Port-Scan.ps1'
        - 'PowerBreach.ps1'
        - 'powercat.ps1'
        - 'PowerRunAsSystem.psm1'
        - 'PowerSharpPack.ps1'
        - 'PowerUp.ps1'
        - 'PowerUpSQL.ps1'
        - 'PowerView.ps1'
        - 'PSAsyncShell.ps1'
        - 'RemoteHashRetrieval.ps1'
        - 'Remove-Persistence.ps1'
        - 'Remove-PoshRat.ps1'
        - 'Remove-Update.ps1'
        - 'Run-EXEonRemote.ps1'
        - 'Schtasks-Backdoor.ps1'
        - 'Set-DCShadowPermissions.ps1'
        - 'Set-MacAttribute.ps1'
        - 'Set-RemotePSRemoting.ps1'
        - 'Set-RemoteWMI.ps1'
        - 'Set-Wallpaper.ps1'
        - 'Show-TargetScreen.ps1'
        - 'Speak.ps1'
        - 'Start-CaptureServer.ps1'
        - 'Start-WebcamRecorder.ps1'
        - 'StringToBase64.ps1'
        - 'TexttoExe.ps1'
        - 'Veeam-Get-Creds.ps1'
        - 'VolumeShadowCopyTools.ps1'
        - 'WinPwn.ps1'
        - 'WSUSpendu.ps1'

Stage 2: `selection_invoke_sharp`

selection_invoke_sharp:
    ContextInfo|contains|all:
        - 'Invoke-Sharp'
        - '.ps1'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`ContextInfo`	match	`.ps1` `Add-ConstrainedDelegationBackdoor.ps1` `Add-Exfiltration.ps1` `Add-Persistence.ps1` `Add-RegBackdoor.ps1` `Add-RemoteRegBackdoor.ps1` `Add-ScrnSaveBackdoor.ps1` `BadSuccessor.ps1` `Check-VM.ps1` `ConvertTo-ROT13.ps1` `Copy-VSS.ps1` `Create-MultipleSessions.ps1` `DNS_TXT_Pwnage.ps1` `Do-Exfiltration.ps1` `DomainPasswordSpray.ps1` `Download-Execute-PS.ps1` `Download_Execute.ps1` `Enable-DuplicateToken.ps1` `Enabled-DuplicateToken.ps1` `Execute-Command-MSSQL.ps1` `Execute-DNSTXT-Code.ps1` `Execute-OnTime.ps1` `ExetoText.ps1` `Exploit-Jboss.ps1` `Find-AVSignature.ps1` `Find-Fruit.ps1` `Find-GPOLocation.ps1` `Find-TrustedDocuments.ps1` `FireBuster.ps1` `FireListener.ps1` `Get-ApplicationHost.ps1` `Get-ChromeDump.ps1` `Get-ClipboardContents.ps1` `Get-ComputerDetail.ps1` `Get-FoxDump.ps1` `Get-GPPAutologon.ps1` `Get-GPPPassword.ps1` `Get-IndexedItem.ps1` `Get-Keystrokes.ps1` `Get-LSASecret.ps1` `Get-MicrophoneAudio.ps1` `Get-PassHashes.ps1` `Get-PassHints.ps1` `Get-RegAlwaysInstallElevated.ps1` `Get-RegAutoLogon.ps1` `Get-RickAstley.ps1` `Get-Screenshot.ps1` `Get-SecurityPackages.ps1` `Get-ServiceFilePermission.ps1` `Get-ServicePermission.ps1` `Get-ServiceUnquoted.ps1` `Get-SiteListPassword.ps1` `Get-System.ps1` `Get-TimedScreenshot.ps1` `Get-USBKeystrokes.ps1` `Get-UnattendedInstallFile.ps1` `Get-Unconstrained.ps1` `Get-VaultCredential.ps1` `Get-VulnAutoRun.ps1` `Get-VulnSchTask.ps1` `Get-WLAN-Keys.ps1` `Get-WebConfig.ps1` `Get-WebCredentials.ps1` `Gupt-Backdoor.ps1` `HTTP-Backdoor.ps1` `HTTP-Login.ps1` `Install-SSP.ps1` `Install-ServiceBinary.ps1` `Invoke-ACLScanner.ps1` `Invoke-ADSBackdoor.ps1` `Invoke-ARPScan.ps1` `Invoke-AmsiBypass.ps1` `Invoke-BackdoorLNK.ps1` `Invoke-BadPotato.ps1` `Invoke-BetterSafetyKatz.ps1` `Invoke-BruteForce.ps1` `Invoke-BypassUAC.ps1` `Invoke-Carbuncle.ps1` `Invoke-Certify.ps1` `Invoke-ConPtyShell.ps1` `Invoke-CredentialInjection.ps1` `Invoke-CredentialsPhish.ps1` `Invoke-DAFT.ps1` `Invoke-DCSync.ps1` `Invoke-DNSExfiltrator.ps1` `Invoke-Decode.ps1` `Invoke-DinvokeKatz.ps1` `Invoke-DllInjection.ps1` `Invoke-DowngradeAccount.ps1` `Invoke-EgressCheck.ps1` `Invoke-Encode.ps1` `Invoke-EventViewer.ps1` `Invoke-Eyewitness.ps1` `Invoke-FakeLogonScreen.ps1` `Invoke-Farmer.ps1` `Invoke-Get-RBCD-Threaded.ps1` `Invoke-Gopher.ps1` `Invoke-Grouper2.ps1` `Invoke-Grouper3.ps1` `Invoke-HandleKatz.ps1` `Invoke-Interceptor.ps1` `Invoke-Internalmonologue.ps1` `Invoke-Inveigh.ps1` `Invoke-InveighRelay.ps1` `Invoke-JSRatRegsvr.ps1` `Invoke-JSRatRundll.ps1` `Invoke-KrbRelay.ps1` `Invoke-KrbRelayUp.ps1` `Invoke-LdapSignCheck.ps1` `Invoke-Lockless.ps1` `Invoke-MITM6.ps1` `Invoke-MalSCCM.ps1` `Invoke-Mimikatz.ps1` `Invoke-MimikatzWDigestDowngrade.ps1` `Invoke-Mimikittenz.ps1` `Invoke-NanoDump.ps1` `Invoke-NetRipper.ps1` `Invoke-NetworkRelay.ps1` `Invoke-NinjaCopy.ps1` `Invoke-OxidResolver.ps1` `Invoke-P0wnedshell.ps1` `Invoke-P0wnedshellx86.ps1` `Invoke-PPLDump.ps1` `Invoke-PSInject.ps1` `Invoke-Paranoia.ps1` `Invoke-PortScan.ps1` `Invoke-PoshRatHttp.ps1` `Invoke-PoshRatHttps.ps1` `Invoke-PostExfil.ps1` `Invoke-PowerDPAPI.ps1` `Invoke-PowerDump.ps1` `Invoke-PowerShellIcmp.ps1` `Invoke-PowerShellTCP.ps1` `Invoke-PowerShellTcpOneLine.ps1` `Invoke-PowerShellTcpOneLineBind.ps1` `Invoke-PowerShellUdp.ps1` `Invoke-PowerShellUdpOneLine.ps1` `Invoke-PowerShellWMI.ps1` `Invoke-PowerThIEf.ps1` `Invoke-Prasadhak.ps1` `Invoke-PsExec.ps1` `Invoke-PsGcat.ps1` `Invoke-PsGcatAgent.ps1` `Invoke-PsUaCme.ps1` `Invoke-ReflectivePEInjection.ps1` `Invoke-ReverseDNSLookup.ps1` `Invoke-Rubeus.ps1` `Invoke-RunAs.ps1` `Invoke-SCShell.ps1` `Invoke-SMBScanner.ps1` `Invoke-SSHCommand.ps1` `Invoke-SSIDExfil.ps1` `Invoke-SafetyKatz.ps1` `Invoke-SauronEye.ps1` `Invoke-Seatbelt.ps1` `Invoke-ServiceAbuse.ps1` `Invoke-SessionGopher.ps1` `Invoke-Sharp` `Invoke-ShellCode.ps1` `Invoke-Snaffler.ps1` `Invoke-Spoolsample.ps1` `Invoke-StandIn.ps1` `Invoke-StickyNotesExtract.ps1` `Invoke-Tater.ps1` `Invoke-ThunderStruck.ps1` `Invoke-Thunderfox.ps1` `Invoke-TokenManipulation.ps1` `Invoke-Tokenvator.ps1` `Invoke-TotalExec.ps1` `Invoke-UrbanBishop.ps1` `Invoke-UserHunter.ps1` `Invoke-VoiceTroll.ps1` `Invoke-WScriptBypassUAC.ps1` `Invoke-Whisker.ps1` `Invoke-WinEnum.ps1` `Invoke-WireTap.ps1` `Invoke-WmiCommand.ps1` `Invoke-Zerologon.ps1` `Invoke-winPEAS.ps1` `Keylogger.ps1` `MailRaider.ps1` `New-HoneyHash.ps1` `OfficeMemScraper.ps1` `Offline_Winpwn.ps1` `Out-CHM.ps1` `Out-DnsTxt.ps1` `Out-Excel.ps1` `Out-HTA.ps1` `Out-JS.ps1` `Out-Java.ps1` `Out-Minidump.ps1` `Out-RundllCommand.ps1` `Out-SCF.ps1` `Out-SCT.ps1` `Out-Shortcut.ps1` `Out-WebQuery.ps1` `Out-Word.ps1` `PSAsyncShell.ps1` `Parse_Keys.ps1` `Port-Scan.ps1` `PowerBreach.ps1` `PowerRunAsSystem.psm1` `PowerSharpPack.ps1` `PowerUp.ps1` `PowerUpSQL.ps1` `PowerView.ps1` `RemoteHashRetrieval.ps1` `Remove-Persistence.ps1` `Remove-PoshRat.ps1` `Remove-Update.ps1` `Run-EXEonRemote.ps1` `Schtasks-Backdoor.ps1` `Set-DCShadowPermissions.ps1` `Set-MacAttribute.ps1` `Set-RemotePSRemoting.ps1` `Set-RemoteWMI.ps1` `Set-Wallpaper.ps1` `Show-TargetScreen.ps1` `Speak.ps1` `Start-CaptureServer.ps1` `Start-WebcamRecorder.ps1` `StringToBase64.ps1` `TexttoExe.ps1` `Veeam-Get-Creds.ps1` `VolumeShadowCopyTools.ps1` `WSUSpendu.ps1` `WinPwn.ps1` `dnscat2.ps1` `powercat.ps1`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Malicious PowerShell Scripts - PoshModule

MITRE ATT&CK coverage

Event coverage

Rule body yaml

Stages and Predicates

Stage 0: `condition`

Stage 1: `selection_generic`

Stage 2: `selection_invoke_sharp`

Indicators

Keyboard shortcuts

Search operators

Malicious PowerShell Scripts - PoshModule

MITRE ATT&CK coverage

Event coverage

Rule body yaml

Stages and Predicates

Stage 0: condition

Stage 1: selection_generic

Stage 2: selection_invoke_sharp

Indicators

Stage 0: `condition`

Stage 1: `selection_generic`

Stage 2: `selection_invoke_sharp`