Malicious PowerShell Commandlets - ScriptBlock

Status: test
Severity: high
Log source: product windows, category ps_script
Author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
Source: github.com/SigmaHQ/sigma

Detects Commandlet names from well-known PowerShell exploitation frameworks

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059.001` Command and Scripting Interpreter: PowerShell
Discovery	`T1069.001` Permission Groups Discovery: Local Groups, `T1069.002` Permission Groups Discovery: Domain Groups, `T1087.001` Account Discovery: Local Account, `T1087.002` Account Discovery: Domain Account, `T1482` Domain Trust Discovery

Event coverage

Provider	Event	Title
PowerShell	Event ID 4104	Creating Scriptblock text (MessageNumber of MessageTotal).

Rule body yaml

title: Malicious PowerShell Commandlets - ScriptBlock
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
related:
    - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
      type: similar
    - id: 02030f2f-6199-49ec-b258-ea71b07e03dc
      type: similar
    - id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
      type: obsolete
    - id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
      type: obsolete
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
    - https://adsecurity.org/?p=2921
    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
    - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
    - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
    - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
    - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
    - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
    - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
    - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
    - https://github.com/HarmJ0y/DAMP
    - https://github.com/samratashok/nishang
    - https://github.com/DarkCoderSc/PowerRunAsSystem/
    - https://github.com/besimorhino/powercat
    - https://github.com/Kevin-Robertson/Powermad
    - https://github.com/adrecon/ADRecon
    - https://github.com/adrecon/AzureADRecon
    - https://github.com/The-Viper-One/Invoke-PowerDPAPI/
    - https://github.com/Arno0x/DNSExfiltrator/
author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
date: 2017-03-05
modified: 2025-12-10
tags:
    - attack.execution
    - attack.discovery
    - attack.t1482
    - attack.t1087
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1069.001
    - attack.t1069.002
    - attack.t1069
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            # Note: Please ensure alphabetical order when adding new entries
            - 'Add-Exfiltration'
            - 'Add-Persistence'
            - 'Add-RegBackdoor'
            - 'Add-RemoteRegBackdoor'
            - 'Add-ScrnSaveBackdoor'
            - 'ConvertTo-Rc4ByteStream'
            - 'Decrypt-Hash'
            - 'Disable-ADIDNSNode'
            - 'Do-Exfiltration'
            - 'Enable-ADIDNSNode'
            - 'Enabled-DuplicateToken'
            - 'Exploit-Jboss'
            - 'Export-ADRCSV'
            - 'Export-ADRExcel'
            - 'Export-ADRHTML'
            - 'Export-ADRJSON'
            - 'Export-ADRXML'
            - 'Find-Fruit'
            - 'Find-GPOLocation'
            - 'Find-TrustedDocuments'
            - 'Get-ADIDNSNodeAttribute'
            - 'Get-ADIDNSNodeOwner'
            - 'Get-ADIDNSNodeTombstoned'
            - 'Get-ADIDNSPermission'
            - 'Get-ADIDNSZone'
            - 'Get-ChromeDump'
            - 'Get-ClipboardContents'
            - 'Get-FoxDump'
            - 'Get-GPPPassword'
            - 'Get-IndexedItem'
            - 'Get-KerberosAESKey'
            - 'Get-Keystrokes'
            - 'Get-LSASecret'
            - 'Get-PassHashes'
            - 'Get-RegAlwaysInstallElevated'
            - 'Get-RegAutoLogon'
            - 'Get-RemoteBootKey'
            - 'Get-RemoteCachedCredential'
            - 'Get-RemoteLocalAccountHash'
            - 'Get-RemoteLSAKey'
            - 'Get-RemoteMachineAccountHash'
            - 'Get-RemoteNLKMKey'
            - 'Get-RickAstley'
            - 'Get-SecurityPackages'
            - 'Get-ServiceFilePermission'
            - 'Get-ServicePermission'
            - 'Get-ServiceUnquoted'
            - 'Get-SiteListPassword'
            - 'Get-System'
            - 'Get-TimedScreenshot'
            - 'Get-UnattendedInstallFile'
            - 'Get-Unconstrained'
            - 'Get-USBKeystrokes'
            - 'Get-VaultCredential'
            - 'Get-VulnAutoRun'
            - 'Get-VulnSchTask'
            - 'Grant-ADIDNSPermission'
            - 'Gupt-Backdoor'
            - 'Invoke-ACLScanner'
            - 'Invoke-ADRecon'
            - 'Invoke-ADSBackdoor'
            - 'Invoke-AgentSmith'
            - 'Invoke-AllChecks'
            - 'Invoke-ARPScan'
            - 'Invoke-AzureHound'
            - 'Invoke-BackdoorLNK'
            - 'Invoke-BadPotato'
            - 'Invoke-BetterSafetyKatz'
            - 'Invoke-BypassUAC'
            - 'Invoke-Carbuncle'
            - 'Invoke-Certify'
            - 'Invoke-ConPtyShell'
            - 'Invoke-CredentialInjection'
            - 'Invoke-DAFT'
            - 'Invoke-DCSync'
            - 'Invoke-DinvokeKatz'
            - 'Invoke-DllInjection'
            - 'Invoke-DNSUpdate'
            - 'Invoke-DNSExfiltrator'
            - 'Invoke-DomainPasswordSpray'
            - 'Invoke-DowngradeAccount'
            - 'Invoke-EgressCheck'
            - 'Invoke-Eyewitness'
            - 'Invoke-FakeLogonScreen'
            - 'Invoke-Farmer'
            - 'Invoke-Get-RBCD-Threaded'
            - 'Invoke-Gopher'
            - 'Invoke-Grouper' # Also Covers Invoke-GrouperX
            - 'Invoke-HandleKatz'
            - 'Invoke-ImpersonatedProcess'
            - 'Invoke-ImpersonateSystem'
            - 'Invoke-InteractiveSystemPowerShell'
            - 'Invoke-Internalmonologue'
            - 'Invoke-Inveigh'
            - 'Invoke-InveighRelay'
            - 'Invoke-KrbRelay'
            - 'Invoke-LdapSignCheck'
            - 'Invoke-Lockless'
            - 'Invoke-MalSCCM'
            - 'Invoke-Mimikatz'
            - 'Invoke-Mimikittenz'
            - 'Invoke-MITM6'
            - 'Invoke-NanoDump'
            - 'Invoke-NetRipper'
            - 'Invoke-Nightmare'
            - 'Invoke-NinjaCopy'
            - 'Invoke-OfficeScrape'
            - 'Invoke-OxidResolver'
            - 'Invoke-P0wnedshell'
            - 'Invoke-Paranoia'
            - 'Invoke-PortScan'
            - 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
            - 'Invoke-PostExfil'
            - 'Invoke-PowerDump'
            - 'Invoke-PowerDPAPI'
            - 'Invoke-PowerShellTCP'
            - 'Invoke-PowerShellWMI'
            - 'Invoke-PPLDump'
            - 'Invoke-PsExec'
            - 'Invoke-PSInject'
            - 'Invoke-PsUaCme'
            - 'Invoke-ReflectivePEInjection'
            - 'Invoke-ReverseDNSLookup'
            - 'Invoke-Rubeus'
            - 'Invoke-RunAs'
            - 'Invoke-SafetyKatz'
            - 'Invoke-SauronEye'
            - 'Invoke-SCShell'
            - 'Invoke-Seatbelt'
            - 'Invoke-ServiceAbuse'
            - 'Invoke-ShadowSpray'
            - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
            - 'Invoke-Shellcode'
            - 'Invoke-SMBScanner'
            - 'Invoke-Snaffler'
            - 'Invoke-Spoolsample'
            - 'Invoke-SpraySinglePassword'
            - 'Invoke-SSHCommand'
            - 'Invoke-StandIn'
            - 'Invoke-StickyNotesExtract'
            - 'Invoke-SystemCommand'
            - 'Invoke-Tasksbackdoor'
            - 'Invoke-Tater'
            - 'Invoke-Thunderfox'
            - 'Invoke-ThunderStruck'
            - 'Invoke-TokenManipulation'
            - 'Invoke-Tokenvator'
            - 'Invoke-TotalExec'
            - 'Invoke-UrbanBishop'
            - 'Invoke-UserHunter'
            - 'Invoke-VoiceTroll'
            - 'Invoke-Whisker'
            - 'Invoke-WinEnum'
            - 'Invoke-winPEAS'
            - 'Invoke-WireTap'
            - 'Invoke-WmiCommand'
            - 'Invoke-WMIExec'
            - 'Invoke-WScriptBypassUAC'
            - 'Invoke-Zerologon'
            - 'MailRaider'
            - 'New-ADIDNSNode'
            - 'New-HoneyHash'
            - 'New-InMemoryModule'
            - 'New-SOASerialNumberArray'
            - 'Out-Minidump'
            - 'PowerBreach'
            - 'powercat '
            - 'PowerUp'
            - 'PowerView'
            - 'Remove-ADIDNSNode'
            - 'Remove-Update'
            - 'Rename-ADIDNSNode'
            - 'Revoke-ADIDNSPermission'
            - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
            - 'Show-TargetScreen'
            - 'Start-CaptureServer'
            - 'Start-Dnscat2'
            - 'Start-WebcamRecorder'
            - 'VolumeShadowCopyTools'
            # - 'Check-VM'
            # - 'Disable-MachineAccount'
            # - 'Enable-MachineAccount'
            # - 'Get-ApplicationHost'
            # - 'Get-MachineAccountAttribute'
            # - 'Get-MachineAccountCreator'
            # - 'Get-Screenshot'
            # - 'HTTP-Login'
            # - 'Install-ServiceBinary'
            # - 'Install-SSP'
            # - 'New-DNSRecordArray'
            # - 'New-MachineAccount'
            # - 'Port-Scan'
            # - 'Remove-MachineAccount'
            # - 'Set-MacAttribute'
            # - 'Set-MachineAccountAttribute'
            # - 'Set-Wallpaper'
    filter_optional_amazon_ec2:
        ScriptBlockText|contains:
            - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
            - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\  # false positive form Amazon EC2
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

Stages and Predicates

Stage 0: `condition`

selection and not 1 of filter_optional_*

Stage 1: `selection`

selection:
    ScriptBlockText|contains:
        - 'Add-Exfiltration'
        - 'Add-Persistence'
        - 'Add-RegBackdoor'
        - 'Add-RemoteRegBackdoor'
        - 'Add-ScrnSaveBackdoor'
        - 'ConvertTo-Rc4ByteStream'
        - 'Decrypt-Hash'
        - 'Disable-ADIDNSNode'
        - 'Do-Exfiltration'
        - 'Enable-ADIDNSNode'
        - 'Enabled-DuplicateToken'
        - 'Exploit-Jboss'
        - 'Export-ADRCSV'
        - 'Export-ADRExcel'
        - 'Export-ADRHTML'
        - 'Export-ADRJSON'
        - 'Export-ADRXML'
        - 'Find-Fruit'
        - 'Find-GPOLocation'
        - 'Find-TrustedDocuments'
        - 'Get-ADIDNSNodeAttribute'
        - 'Get-ADIDNSNodeOwner'
        - 'Get-ADIDNSNodeTombstoned'
        - 'Get-ADIDNSPermission'
        - 'Get-ADIDNSZone'
        - 'Get-ChromeDump'
        - 'Get-ClipboardContents'
        - 'Get-FoxDump'
        - 'Get-GPPPassword'
        - 'Get-IndexedItem'
        - 'Get-KerberosAESKey'
        - 'Get-Keystrokes'
        - 'Get-LSASecret'
        - 'Get-PassHashes'
        - 'Get-RegAlwaysInstallElevated'
        - 'Get-RegAutoLogon'
        - 'Get-RemoteBootKey'
        - 'Get-RemoteCachedCredential'
        - 'Get-RemoteLocalAccountHash'
        - 'Get-RemoteLSAKey'
        - 'Get-RemoteMachineAccountHash'
        - 'Get-RemoteNLKMKey'
        - 'Get-RickAstley'
        - 'Get-SecurityPackages'
        - 'Get-ServiceFilePermission'
        - 'Get-ServicePermission'
        - 'Get-ServiceUnquoted'
        - 'Get-SiteListPassword'
        - 'Get-System'
        - 'Get-TimedScreenshot'
        - 'Get-UnattendedInstallFile'
        - 'Get-Unconstrained'
        - 'Get-USBKeystrokes'
        - 'Get-VaultCredential'
        - 'Get-VulnAutoRun'
        - 'Get-VulnSchTask'
        - 'Grant-ADIDNSPermission'
        - 'Gupt-Backdoor'
        - 'Invoke-ACLScanner'
        - 'Invoke-ADRecon'
        - 'Invoke-ADSBackdoor'
        - 'Invoke-AgentSmith'
        - 'Invoke-AllChecks'
        - 'Invoke-ARPScan'
        - 'Invoke-AzureHound'
        - 'Invoke-BackdoorLNK'
        - 'Invoke-BadPotato'
        - 'Invoke-BetterSafetyKatz'
        - 'Invoke-BypassUAC'
        - 'Invoke-Carbuncle'
        - 'Invoke-Certify'
        - 'Invoke-ConPtyShell'
        - 'Invoke-CredentialInjection'
        - 'Invoke-DAFT'
        - 'Invoke-DCSync'
        - 'Invoke-DinvokeKatz'
        - 'Invoke-DllInjection'
        - 'Invoke-DNSUpdate'
        - 'Invoke-DNSExfiltrator'
        - 'Invoke-DomainPasswordSpray'
        - 'Invoke-DowngradeAccount'
        - 'Invoke-EgressCheck'
        - 'Invoke-Eyewitness'
        - 'Invoke-FakeLogonScreen'
        - 'Invoke-Farmer'
        - 'Invoke-Get-RBCD-Threaded'
        - 'Invoke-Gopher'
        - 'Invoke-Grouper'
        - 'Invoke-HandleKatz'
        - 'Invoke-ImpersonatedProcess'
        - 'Invoke-ImpersonateSystem'
        - 'Invoke-InteractiveSystemPowerShell'
        - 'Invoke-Internalmonologue'
        - 'Invoke-Inveigh'
        - 'Invoke-InveighRelay'
        - 'Invoke-KrbRelay'
        - 'Invoke-LdapSignCheck'
        - 'Invoke-Lockless'
        - 'Invoke-MalSCCM'
        - 'Invoke-Mimikatz'
        - 'Invoke-Mimikittenz'
        - 'Invoke-MITM6'
        - 'Invoke-NanoDump'
        - 'Invoke-NetRipper'
        - 'Invoke-Nightmare'
        - 'Invoke-NinjaCopy'
        - 'Invoke-OfficeScrape'
        - 'Invoke-OxidResolver'
        - 'Invoke-P0wnedshell'
        - 'Invoke-Paranoia'
        - 'Invoke-PortScan'
        - 'Invoke-PoshRatHttp'
        - 'Invoke-PostExfil'
        - 'Invoke-PowerDump'
        - 'Invoke-PowerDPAPI'
        - 'Invoke-PowerShellTCP'
        - 'Invoke-PowerShellWMI'
        - 'Invoke-PPLDump'
        - 'Invoke-PsExec'
        - 'Invoke-PSInject'
        - 'Invoke-PsUaCme'
        - 'Invoke-ReflectivePEInjection'
        - 'Invoke-ReverseDNSLookup'
        - 'Invoke-Rubeus'
        - 'Invoke-RunAs'
        - 'Invoke-SafetyKatz'
        - 'Invoke-SauronEye'
        - 'Invoke-SCShell'
        - 'Invoke-Seatbelt'
        - 'Invoke-ServiceAbuse'
        - 'Invoke-ShadowSpray'
        - 'Invoke-Sharp'
        - 'Invoke-Shellcode'
        - 'Invoke-SMBScanner'
        - 'Invoke-Snaffler'
        - 'Invoke-Spoolsample'
        - 'Invoke-SpraySinglePassword'
        - 'Invoke-SSHCommand'
        - 'Invoke-StandIn'
        - 'Invoke-StickyNotesExtract'
        - 'Invoke-SystemCommand'
        - 'Invoke-Tasksbackdoor'
        - 'Invoke-Tater'
        - 'Invoke-Thunderfox'
        - 'Invoke-ThunderStruck'
        - 'Invoke-TokenManipulation'
        - 'Invoke-Tokenvator'
        - 'Invoke-TotalExec'
        - 'Invoke-UrbanBishop'
        - 'Invoke-UserHunter'
        - 'Invoke-VoiceTroll'
        - 'Invoke-Whisker'
        - 'Invoke-WinEnum'
        - 'Invoke-winPEAS'
        - 'Invoke-WireTap'
        - 'Invoke-WmiCommand'
        - 'Invoke-WMIExec'
        - 'Invoke-WScriptBypassUAC'
        - 'Invoke-Zerologon'
        - 'MailRaider'
        - 'New-ADIDNSNode'
        - 'New-HoneyHash'
        - 'New-InMemoryModule'
        - 'New-SOASerialNumberArray'
        - 'Out-Minidump'
        - 'PowerBreach'
        - 'powercat '
        - 'PowerUp'
        - 'PowerView'
        - 'Remove-ADIDNSNode'
        - 'Remove-Update'
        - 'Rename-ADIDNSNode'
        - 'Revoke-ADIDNSPermission'
        - 'Set-ADIDNSNode'
        - 'Show-TargetScreen'
        - 'Start-CaptureServer'
        - 'Start-Dnscat2'
        - 'Start-WebcamRecorder'
        - 'VolumeShadowCopyTools'

Stage 2: `not filter_optional_amazon_ec2`

filter_optional_amazon_ec2:
    ScriptBlockText|contains:
        - Get-SystemDriveInfo
        - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`ScriptBlockText`	match	`C:\ProgramData\Amazon\EC2-Windows\Launch\Module\`
`ScriptBlockText`	match	`Get-SystemDriveInfo`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`ScriptBlockText`	match	`Add-Exfiltration` `Add-Persistence` `Add-RegBackdoor` `Add-RemoteRegBackdoor` `Add-ScrnSaveBackdoor` `ConvertTo-Rc4ByteStream` `Decrypt-Hash` `Disable-ADIDNSNode` `Do-Exfiltration` `Enable-ADIDNSNode` `Enabled-DuplicateToken` `Exploit-Jboss` `Export-ADRCSV` `Export-ADRExcel` `Export-ADRHTML` `Export-ADRJSON` `Export-ADRXML` `Find-Fruit` `Find-GPOLocation` corpus 2 (sigma 2) `Find-TrustedDocuments` `Get-ADIDNSNodeAttribute` `Get-ADIDNSNodeOwner` `Get-ADIDNSNodeTombstoned` `Get-ADIDNSPermission` `Get-ADIDNSZone` `Get-ChromeDump` `Get-ClipboardContents` `Get-FoxDump` `Get-GPPPassword` `Get-IndexedItem` `Get-KerberosAESKey` `Get-Keystrokes` corpus 2 (sigma 2) `Get-LSASecret` `Get-PassHashes` `Get-RegAlwaysInstallElevated` `Get-RegAutoLogon` `Get-RemoteBootKey` `Get-RemoteCachedCredential` `Get-RemoteLSAKey` `Get-RemoteLocalAccountHash` `Get-RemoteMachineAccountHash` `Get-RemoteNLKMKey` `Get-RickAstley` `Get-SecurityPackages` `Get-ServiceFilePermission` `Get-ServicePermission` `Get-ServiceUnquoted` `Get-SiteListPassword` `Get-System` `Get-TimedScreenshot` `Get-USBKeystrokes` `Get-UnattendedInstallFile` `Get-Unconstrained` `Get-VaultCredential` `Get-VulnAutoRun` `Get-VulnSchTask` `Grant-ADIDNSPermission` `Gupt-Backdoor` `Invoke-ACLScanner` corpus 2 (sigma 2) `Invoke-ADRecon` `Invoke-ADSBackdoor` `Invoke-ARPScan` `Invoke-AgentSmith` `Invoke-AllChecks` `Invoke-AzureHound` `Invoke-BackdoorLNK` `Invoke-BadPotato` `Invoke-BetterSafetyKatz` `Invoke-BypassUAC` `Invoke-Carbuncle` `Invoke-Certify` `Invoke-ConPtyShell` `Invoke-CredentialInjection` `Invoke-DAFT` `Invoke-DCSync` `Invoke-DNSExfiltrator` corpus 2 (sigma 2) `Invoke-DNSUpdate` `Invoke-DinvokeKatz` `Invoke-DllInjection` `Invoke-DomainPasswordSpray` `Invoke-DowngradeAccount` `Invoke-EgressCheck` `Invoke-Eyewitness` `Invoke-FakeLogonScreen` `Invoke-Farmer` `Invoke-Get-RBCD-Threaded` `Invoke-Gopher` `Invoke-Grouper` `Invoke-HandleKatz` `Invoke-ImpersonateSystem` `Invoke-ImpersonatedProcess` `Invoke-InteractiveSystemPowerShell` `Invoke-Internalmonologue` `Invoke-Inveigh` `Invoke-InveighRelay` `Invoke-KrbRelay` `Invoke-LdapSignCheck` `Invoke-Lockless` `Invoke-MITM6` `Invoke-MalSCCM` `Invoke-Mimikatz` `Invoke-Mimikittenz` `Invoke-NanoDump` `Invoke-NetRipper` `Invoke-Nightmare` `Invoke-NinjaCopy` `Invoke-OfficeScrape` `Invoke-OxidResolver` `Invoke-P0wnedshell` `Invoke-PPLDump` `Invoke-PSInject` `Invoke-Paranoia` `Invoke-PortScan` `Invoke-PoshRatHttp` `Invoke-PostExfil` `Invoke-PowerDPAPI` `Invoke-PowerDump` `Invoke-PowerShellTCP` `Invoke-PowerShellWMI` `Invoke-PsExec` `Invoke-PsUaCme` `Invoke-ReflectivePEInjection` `Invoke-ReverseDNSLookup` `Invoke-Rubeus` `Invoke-RunAs` `Invoke-SCShell` `Invoke-SMBScanner` `Invoke-SSHCommand` `Invoke-SafetyKatz` `Invoke-SauronEye` `Invoke-Seatbelt` `Invoke-ServiceAbuse` `Invoke-ShadowSpray` `Invoke-Sharp` `Invoke-Shellcode` `Invoke-Snaffler` `Invoke-Spoolsample` `Invoke-SpraySinglePassword` `Invoke-StandIn` `Invoke-StickyNotesExtract` `Invoke-SystemCommand` `Invoke-Tasksbackdoor` `Invoke-Tater` `Invoke-ThunderStruck` `Invoke-Thunderfox` `Invoke-TokenManipulation` `Invoke-Tokenvator` `Invoke-TotalExec` `Invoke-UrbanBishop` `Invoke-UserHunter` corpus 2 (sigma 2) `Invoke-VoiceTroll` `Invoke-WMIExec` corpus 2 (sigma 1, splunk 1) `Invoke-WScriptBypassUAC` `Invoke-Whisker` `Invoke-WinEnum` `Invoke-WireTap` `Invoke-WmiCommand` `Invoke-Zerologon` `Invoke-winPEAS` `MailRaider` `New-ADIDNSNode` `New-HoneyHash` `New-InMemoryModule` `New-SOASerialNumberArray` `Out-Minidump` `PowerBreach` `PowerUp` `PowerView` `Remove-ADIDNSNode` `Remove-Update` corpus 2 (sigma 2) `Rename-ADIDNSNode` `Revoke-ADIDNSPermission` `Set-ADIDNSNode` `Show-TargetScreen` `Start-CaptureServer` `Start-Dnscat2` `Start-WebcamRecorder` `VolumeShadowCopyTools` `powercat`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Malicious PowerShell Commandlets - ScriptBlock

MITRE ATT&CK coverage

Event coverage

Rule body yaml

Stages and Predicates

Stage 0: `condition`

Stage 1: `selection`

Stage 2: `not filter_optional_amazon_ec2`

Exclusions

Indicators

Keyboard shortcuts

Search operators

Malicious PowerShell Commandlets - ScriptBlock

MITRE ATT&CK coverage

Event coverage

Rule body yaml

Stages and Predicates

Stage 0: condition

Stage 1: selection

Stage 2: not filter_optional_amazon_ec2

Exclusions

Indicators

Stage 0: `condition`

Stage 1: `selection`

Stage 2: `not filter_optional_amazon_ec2`