Malicious PowerShell Commandlets - ProcessCreation

Status: test
Severity: high
Log source: product windows, category process_creation
Author: Nasreddine Bencherchali (Nextron Systems)
Source: github.com/SigmaHQ/sigma

Detects Commandlet names from well-known PowerShell exploitation frameworks

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059.001` Command and Scripting Interpreter: PowerShell
Discovery	`T1069.001` Permission Groups Discovery: Local Groups, `T1069.002` Permission Groups Discovery: Domain Groups, `T1087.001` Account Discovery: Local Account, `T1087.002` Account Discovery: Domain Account, `T1482` Domain Trust Discovery

Event coverage

Provider	Event	Title
Sysmon	Event ID 1	Process creation
Security-Auditing	Event ID 4688	A new process has been created.

Rule body yaml

title: Malicious PowerShell Commandlets - ProcessCreation
id: 02030f2f-6199-49ec-b258-ea71b07e03dc
related:
    - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
      type: derived
    - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
      type: similar
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
    - https://adsecurity.org/?p=2921
    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
    - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
    - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
    - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
    - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
    - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
    - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
    - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
    - https://github.com/HarmJ0y/DAMP
    - https://github.com/samratashok/nishang
    - https://github.com/DarkCoderSc/PowerRunAsSystem/
    - https://github.com/besimorhino/powercat
    - https://github.com/Kevin-Robertson/Powermad
    - https://github.com/adrecon/ADRecon
    - https://github.com/adrecon/AzureADRecon
    - https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
    - https://github.com/The-Viper-One/Invoke-PowerDPAPI/
    - https://github.com/Arno0x/DNSExfiltrator/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
modified: 2025-12-10
tags:
    - attack.execution
    - attack.discovery
    - attack.t1482
    - attack.t1087
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1069.001
    - attack.t1069.002
    - attack.t1069
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Note: Please ensure alphabetical order when adding new entries
        CommandLine|contains:
            - 'Add-Exfiltration'
            - 'Add-Persistence'
            - 'Add-RegBackdoor'
            - 'Add-RemoteRegBackdoor'
            - 'Add-ScrnSaveBackdoor'
            - 'Check-VM'
            - 'ConvertTo-Rc4ByteStream'
            - 'Decrypt-Hash'
            - 'Disable-ADIDNSNode'
            - 'Disable-MachineAccount'
            - 'Do-Exfiltration'
            - 'Enable-ADIDNSNode'
            - 'Enable-MachineAccount'
            - 'Enabled-DuplicateToken'
            - 'Exploit-Jboss'
            - 'Export-ADR'
            - 'Export-ADRCSV'
            - 'Export-ADRExcel'
            - 'Export-ADRHTML'
            - 'Export-ADRJSON'
            - 'Export-ADRXML'
            - 'Find-Fruit'
            - 'Find-GPOLocation'
            - 'Find-TrustedDocuments'
            - 'Get-ADIDNS' # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone
            - 'Get-ApplicationHost'
            - 'Get-ChromeDump'
            - 'Get-ClipboardContents'
            - 'Get-FoxDump'
            - 'Get-GPPPassword'
            - 'Get-IndexedItem'
            - 'Get-KerberosAESKey'
            - 'Get-Keystrokes'
            - 'Get-LSASecret'
            - 'Get-MachineAccountAttribute'
            - 'Get-MachineAccountCreator'
            - 'Get-PassHashes'
            - 'Get-RegAlwaysInstallElevated'
            - 'Get-RegAutoLogon'
            - 'Get-RemoteBootKey'
            - 'Get-RemoteCachedCredential'
            - 'Get-RemoteLocalAccountHash'
            - 'Get-RemoteLSAKey'
            - 'Get-RemoteMachineAccountHash'
            - 'Get-RemoteNLKMKey'
            - 'Get-RickAstley'
            - 'Get-Screenshot'
            - 'Get-SecurityPackages'
            - 'Get-ServiceFilePermission'
            - 'Get-ServicePermission'
            - 'Get-ServiceUnquoted'
            - 'Get-SiteListPassword'
            - 'Get-System'
            - 'Get-TimedScreenshot'
            - 'Get-UnattendedInstallFile'
            - 'Get-Unconstrained'
            - 'Get-USBKeystrokes'
            - 'Get-VaultCredential'
            - 'Get-VulnAutoRun'
            - 'Get-VulnSchTask'
            - 'Grant-ADIDNSPermission'
            - 'Gupt-Backdoor'
            - 'HTTP-Login'
            - 'Install-ServiceBinary'
            - 'Install-SSP'
            - 'Invoke-ACLScanner'
            - 'Invoke-ADRecon'
            - 'Invoke-ADSBackdoor'
            - 'Invoke-AgentSmith'
            - 'Invoke-AllChecks'
            - 'Invoke-ARPScan'
            - 'Invoke-AzureHound'
            - 'Invoke-BackdoorLNK'
            - 'Invoke-BadPotato'
            - 'Invoke-BetterSafetyKatz'
            - 'Invoke-BypassUAC'
            - 'Invoke-Carbuncle'
            - 'Invoke-Certify'
            - 'Invoke-ConPtyShell'
            - 'Invoke-CredentialInjection'
            - 'Invoke-DAFT'
            - 'Invoke-DCSync'
            - 'Invoke-DinvokeKatz'
            - 'Invoke-DllInjection'
            - 'Invoke-DNSUpdate'
            - 'Invoke-DNSExfiltrator'
            - 'Invoke-DomainPasswordSpray'
            - 'Invoke-DowngradeAccount'
            - 'Invoke-EgressCheck'
            - 'Invoke-Eyewitness'
            - 'Invoke-FakeLogonScreen'
            - 'Invoke-Farmer'
            - 'Invoke-Get-RBCD-Threaded'
            - 'Invoke-Gopher'
            - 'Invoke-Grouper' # Also Covers Invoke-GrouperX
            - 'Invoke-HandleKatz'
            - 'Invoke-ImpersonatedProcess'
            - 'Invoke-ImpersonateSystem'
            - 'Invoke-InteractiveSystemPowerShell'
            - 'Invoke-Internalmonologue'
            - 'Invoke-Inveigh'
            - 'Invoke-InveighRelay'
            - 'Invoke-KrbRelay'
            - 'Invoke-LdapSignCheck'
            - 'Invoke-Lockless'
            - 'Invoke-MalSCCM'
            - 'Invoke-Mimikatz'
            - 'Invoke-Mimikittenz'
            - 'Invoke-MITM6'
            - 'Invoke-NanoDump'
            - 'Invoke-NetRipper'
            - 'Invoke-Nightmare'
            - 'Invoke-NinjaCopy'
            - 'Invoke-OfficeScrape'
            - 'Invoke-OxidResolver'
            - 'Invoke-P0wnedshell'
            - 'Invoke-Paranoia'
            - 'Invoke-PortScan'
            - 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
            - 'Invoke-PostExfil'
            - 'Invoke-PowerDump'
            - 'Invoke-PowerDPAPI'
            - 'Invoke-PowerShellTCP'
            - 'Invoke-PowerShellWMI'
            - 'Invoke-PPLDump'
            - 'Invoke-PsExec'
            - 'Invoke-PSInject'
            - 'Invoke-PsUaCme'
            - 'Invoke-ReflectivePEInjection'
            - 'Invoke-ReverseDNSLookup'
            - 'Invoke-Rubeus'
            - 'Invoke-RunAs'
            - 'Invoke-SafetyKatz'
            - 'Invoke-SauronEye'
            - 'Invoke-SCShell'
            - 'Invoke-Seatbelt'
            - 'Invoke-ServiceAbuse'
            - 'Invoke-ShadowSpray'
            - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
            - 'Invoke-Shellcode'
            - 'Invoke-SMBScanner'
            - 'Invoke-Snaffler'
            - 'Invoke-Spoolsample'
            - 'Invoke-SpraySinglePassword'
            - 'Invoke-SSHCommand'
            - 'Invoke-StandIn'
            - 'Invoke-StickyNotesExtract'
            - 'Invoke-SystemCommand'
            - 'Invoke-Tasksbackdoor'
            - 'Invoke-Tater'
            - 'Invoke-Thunderfox'
            - 'Invoke-ThunderStruck'
            - 'Invoke-TokenManipulation'
            - 'Invoke-Tokenvator'
            - 'Invoke-TotalExec'
            - 'Invoke-UrbanBishop'
            - 'Invoke-UserHunter'
            - 'Invoke-VoiceTroll'
            - 'Invoke-Whisker'
            - 'Invoke-WinEnum'
            - 'Invoke-winPEAS'
            - 'Invoke-WireTap'
            - 'Invoke-WmiCommand'
            - 'Invoke-WMIExec'
            - 'Invoke-WScriptBypassUAC'
            - 'Invoke-Zerologon'
            - 'MailRaider'
            - 'New-ADIDNSNode'
            - 'New-DNSRecordArray'
            - 'New-HoneyHash'
            - 'New-InMemoryModule'
            - 'New-MachineAccount'
            - 'New-SOASerialNumberArray'
            - 'Out-Minidump'
            - 'Port-Scan'
            - 'PowerBreach'
            - 'powercat '
            - 'PowerUp'
            - 'PowerView'
            - 'Remove-ADIDNSNode'
            - 'Remove-MachineAccount'
            - 'Remove-Update'
            - 'Rename-ADIDNSNode'
            - 'Revoke-ADIDNSPermission'
            - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
            - 'Set-MacAttribute'
            - 'Set-MachineAccountAttribute'
            - 'Set-Wallpaper'
            - 'Show-TargetScreen'
            - 'Start-CaptureServer'
            - 'Start-Dnscat2'
            - 'Start-WebcamRecorder'
            - 'Veeam-Get-Creds'
            - 'VolumeShadowCopyTools'
    condition: selection
falsepositives:
    - Unknown
level: high

Stages and Predicates

Stage 0: `condition`

selection

Stage 1: `selection`

selection:
    CommandLine|contains:
        - 'Add-Exfiltration'
        - 'Add-Persistence'
        - 'Add-RegBackdoor'
        - 'Add-RemoteRegBackdoor'
        - 'Add-ScrnSaveBackdoor'
        - 'Check-VM'
        - 'ConvertTo-Rc4ByteStream'
        - 'Decrypt-Hash'
        - 'Disable-ADIDNSNode'
        - 'Disable-MachineAccount'
        - 'Do-Exfiltration'
        - 'Enable-ADIDNSNode'
        - 'Enable-MachineAccount'
        - 'Enabled-DuplicateToken'
        - 'Exploit-Jboss'
        - 'Export-ADR'
        - 'Export-ADRCSV'
        - 'Export-ADRExcel'
        - 'Export-ADRHTML'
        - 'Export-ADRJSON'
        - 'Export-ADRXML'
        - 'Find-Fruit'
        - 'Find-GPOLocation'
        - 'Find-TrustedDocuments'
        - 'Get-ADIDNS'
        - 'Get-ApplicationHost'
        - 'Get-ChromeDump'
        - 'Get-ClipboardContents'
        - 'Get-FoxDump'
        - 'Get-GPPPassword'
        - 'Get-IndexedItem'
        - 'Get-KerberosAESKey'
        - 'Get-Keystrokes'
        - 'Get-LSASecret'
        - 'Get-MachineAccountAttribute'
        - 'Get-MachineAccountCreator'
        - 'Get-PassHashes'
        - 'Get-RegAlwaysInstallElevated'
        - 'Get-RegAutoLogon'
        - 'Get-RemoteBootKey'
        - 'Get-RemoteCachedCredential'
        - 'Get-RemoteLocalAccountHash'
        - 'Get-RemoteLSAKey'
        - 'Get-RemoteMachineAccountHash'
        - 'Get-RemoteNLKMKey'
        - 'Get-RickAstley'
        - 'Get-Screenshot'
        - 'Get-SecurityPackages'
        - 'Get-ServiceFilePermission'
        - 'Get-ServicePermission'
        - 'Get-ServiceUnquoted'
        - 'Get-SiteListPassword'
        - 'Get-System'
        - 'Get-TimedScreenshot'
        - 'Get-UnattendedInstallFile'
        - 'Get-Unconstrained'
        - 'Get-USBKeystrokes'
        - 'Get-VaultCredential'
        - 'Get-VulnAutoRun'
        - 'Get-VulnSchTask'
        - 'Grant-ADIDNSPermission'
        - 'Gupt-Backdoor'
        - 'HTTP-Login'
        - 'Install-ServiceBinary'
        - 'Install-SSP'
        - 'Invoke-ACLScanner'
        - 'Invoke-ADRecon'
        - 'Invoke-ADSBackdoor'
        - 'Invoke-AgentSmith'
        - 'Invoke-AllChecks'
        - 'Invoke-ARPScan'
        - 'Invoke-AzureHound'
        - 'Invoke-BackdoorLNK'
        - 'Invoke-BadPotato'
        - 'Invoke-BetterSafetyKatz'
        - 'Invoke-BypassUAC'
        - 'Invoke-Carbuncle'
        - 'Invoke-Certify'
        - 'Invoke-ConPtyShell'
        - 'Invoke-CredentialInjection'
        - 'Invoke-DAFT'
        - 'Invoke-DCSync'
        - 'Invoke-DinvokeKatz'
        - 'Invoke-DllInjection'
        - 'Invoke-DNSUpdate'
        - 'Invoke-DNSExfiltrator'
        - 'Invoke-DomainPasswordSpray'
        - 'Invoke-DowngradeAccount'
        - 'Invoke-EgressCheck'
        - 'Invoke-Eyewitness'
        - 'Invoke-FakeLogonScreen'
        - 'Invoke-Farmer'
        - 'Invoke-Get-RBCD-Threaded'
        - 'Invoke-Gopher'
        - 'Invoke-Grouper'
        - 'Invoke-HandleKatz'
        - 'Invoke-ImpersonatedProcess'
        - 'Invoke-ImpersonateSystem'
        - 'Invoke-InteractiveSystemPowerShell'
        - 'Invoke-Internalmonologue'
        - 'Invoke-Inveigh'
        - 'Invoke-InveighRelay'
        - 'Invoke-KrbRelay'
        - 'Invoke-LdapSignCheck'
        - 'Invoke-Lockless'
        - 'Invoke-MalSCCM'
        - 'Invoke-Mimikatz'
        - 'Invoke-Mimikittenz'
        - 'Invoke-MITM6'
        - 'Invoke-NanoDump'
        - 'Invoke-NetRipper'
        - 'Invoke-Nightmare'
        - 'Invoke-NinjaCopy'
        - 'Invoke-OfficeScrape'
        - 'Invoke-OxidResolver'
        - 'Invoke-P0wnedshell'
        - 'Invoke-Paranoia'
        - 'Invoke-PortScan'
        - 'Invoke-PoshRatHttp'
        - 'Invoke-PostExfil'
        - 'Invoke-PowerDump'
        - 'Invoke-PowerDPAPI'
        - 'Invoke-PowerShellTCP'
        - 'Invoke-PowerShellWMI'
        - 'Invoke-PPLDump'
        - 'Invoke-PsExec'
        - 'Invoke-PSInject'
        - 'Invoke-PsUaCme'
        - 'Invoke-ReflectivePEInjection'
        - 'Invoke-ReverseDNSLookup'
        - 'Invoke-Rubeus'
        - 'Invoke-RunAs'
        - 'Invoke-SafetyKatz'
        - 'Invoke-SauronEye'
        - 'Invoke-SCShell'
        - 'Invoke-Seatbelt'
        - 'Invoke-ServiceAbuse'
        - 'Invoke-ShadowSpray'
        - 'Invoke-Sharp'
        - 'Invoke-Shellcode'
        - 'Invoke-SMBScanner'
        - 'Invoke-Snaffler'
        - 'Invoke-Spoolsample'
        - 'Invoke-SpraySinglePassword'
        - 'Invoke-SSHCommand'
        - 'Invoke-StandIn'
        - 'Invoke-StickyNotesExtract'
        - 'Invoke-SystemCommand'
        - 'Invoke-Tasksbackdoor'
        - 'Invoke-Tater'
        - 'Invoke-Thunderfox'
        - 'Invoke-ThunderStruck'
        - 'Invoke-TokenManipulation'
        - 'Invoke-Tokenvator'
        - 'Invoke-TotalExec'
        - 'Invoke-UrbanBishop'
        - 'Invoke-UserHunter'
        - 'Invoke-VoiceTroll'
        - 'Invoke-Whisker'
        - 'Invoke-WinEnum'
        - 'Invoke-winPEAS'
        - 'Invoke-WireTap'
        - 'Invoke-WmiCommand'
        - 'Invoke-WMIExec'
        - 'Invoke-WScriptBypassUAC'
        - 'Invoke-Zerologon'
        - 'MailRaider'
        - 'New-ADIDNSNode'
        - 'New-DNSRecordArray'
        - 'New-HoneyHash'
        - 'New-InMemoryModule'
        - 'New-MachineAccount'
        - 'New-SOASerialNumberArray'
        - 'Out-Minidump'
        - 'Port-Scan'
        - 'PowerBreach'
        - 'powercat '
        - 'PowerUp'
        - 'PowerView'
        - 'Remove-ADIDNSNode'
        - 'Remove-MachineAccount'
        - 'Remove-Update'
        - 'Rename-ADIDNSNode'
        - 'Revoke-ADIDNSPermission'
        - 'Set-ADIDNSNode'
        - 'Set-MacAttribute'
        - 'Set-MachineAccountAttribute'
        - 'Set-Wallpaper'
        - 'Show-TargetScreen'
        - 'Start-CaptureServer'
        - 'Start-Dnscat2'
        - 'Start-WebcamRecorder'
        - 'Veeam-Get-Creds'
        - 'VolumeShadowCopyTools'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`Add-Exfiltration` `Add-Persistence` `Add-RegBackdoor` `Add-RemoteRegBackdoor` `Add-ScrnSaveBackdoor` `Check-VM` `ConvertTo-Rc4ByteStream` `Decrypt-Hash` `Disable-ADIDNSNode` `Disable-MachineAccount` `Do-Exfiltration` `Enable-ADIDNSNode` `Enable-MachineAccount` `Enabled-DuplicateToken` `Exploit-Jboss` `Export-ADR` `Export-ADRCSV` `Export-ADRExcel` `Export-ADRHTML` `Export-ADRJSON` `Export-ADRXML` `Find-Fruit` `Find-GPOLocation` corpus 2 (sigma 2) `Find-TrustedDocuments` `Get-ADIDNS` `Get-ApplicationHost` `Get-ChromeDump` `Get-ClipboardContents` `Get-FoxDump` `Get-GPPPassword` `Get-IndexedItem` `Get-KerberosAESKey` `Get-Keystrokes` `Get-LSASecret` `Get-MachineAccountAttribute` `Get-MachineAccountCreator` `Get-PassHashes` `Get-RegAlwaysInstallElevated` `Get-RegAutoLogon` `Get-RemoteBootKey` `Get-RemoteCachedCredential` `Get-RemoteLSAKey` `Get-RemoteLocalAccountHash` `Get-RemoteMachineAccountHash` `Get-RemoteNLKMKey` `Get-RickAstley` `Get-Screenshot` `Get-SecurityPackages` `Get-ServiceFilePermission` `Get-ServicePermission` `Get-ServiceUnquoted` `Get-SiteListPassword` `Get-System` `Get-TimedScreenshot` `Get-USBKeystrokes` `Get-UnattendedInstallFile` `Get-Unconstrained` `Get-VaultCredential` `Get-VulnAutoRun` `Get-VulnSchTask` `Grant-ADIDNSPermission` `Gupt-Backdoor` `HTTP-Login` `Install-SSP` `Install-ServiceBinary` `Invoke-ACLScanner` corpus 2 (sigma 2) `Invoke-ADRecon` `Invoke-ADSBackdoor` `Invoke-ARPScan` `Invoke-AgentSmith` `Invoke-AllChecks` `Invoke-AzureHound` corpus 2 (sigma 1, splunk 1) `Invoke-BackdoorLNK` `Invoke-BadPotato` `Invoke-BetterSafetyKatz` `Invoke-BypassUAC` `Invoke-Carbuncle` `Invoke-Certify` `Invoke-ConPtyShell` `Invoke-CredentialInjection` `Invoke-DAFT` `Invoke-DCSync` `Invoke-DNSExfiltrator` `Invoke-DNSUpdate` `Invoke-DinvokeKatz` `Invoke-DllInjection` `Invoke-DomainPasswordSpray` `Invoke-DowngradeAccount` `Invoke-EgressCheck` `Invoke-Eyewitness` `Invoke-FakeLogonScreen` `Invoke-Farmer` `Invoke-Get-RBCD-Threaded` `Invoke-Gopher` `Invoke-Grouper` `Invoke-HandleKatz` `Invoke-ImpersonateSystem` `Invoke-ImpersonatedProcess` `Invoke-InteractiveSystemPowerShell` `Invoke-Internalmonologue` `Invoke-Inveigh` `Invoke-InveighRelay` `Invoke-KrbRelay` `Invoke-LdapSignCheck` `Invoke-Lockless` `Invoke-MITM6` `Invoke-MalSCCM` `Invoke-Mimikatz` `Invoke-Mimikittenz` `Invoke-NanoDump` `Invoke-NetRipper` `Invoke-Nightmare` corpus 2 (sigma 2) `Invoke-NinjaCopy` `Invoke-OfficeScrape` `Invoke-OxidResolver` `Invoke-P0wnedshell` `Invoke-PPLDump` `Invoke-PSInject` `Invoke-Paranoia` `Invoke-PortScan` `Invoke-PoshRatHttp` `Invoke-PostExfil` `Invoke-PowerDPAPI` `Invoke-PowerDump` `Invoke-PowerShellTCP` `Invoke-PowerShellWMI` `Invoke-PsExec` `Invoke-PsUaCme` `Invoke-ReflectivePEInjection` `Invoke-ReverseDNSLookup` `Invoke-Rubeus` `Invoke-RunAs` `Invoke-SCShell` `Invoke-SMBScanner` `Invoke-SSHCommand` `Invoke-SafetyKatz` `Invoke-SauronEye` `Invoke-Seatbelt` `Invoke-ServiceAbuse` `Invoke-ShadowSpray` `Invoke-Sharp` `Invoke-Shellcode` `Invoke-Snaffler` `Invoke-Spoolsample` `Invoke-SpraySinglePassword` `Invoke-StandIn` `Invoke-StickyNotesExtract` `Invoke-SystemCommand` `Invoke-Tasksbackdoor` `Invoke-Tater` corpus 2 (sigma 2) `Invoke-ThunderStruck` `Invoke-Thunderfox` `Invoke-TokenManipulation` `Invoke-Tokenvator` `Invoke-TotalExec` `Invoke-UrbanBishop` `Invoke-UserHunter` corpus 2 (sigma 2) `Invoke-VoiceTroll` `Invoke-WMIExec` `Invoke-WScriptBypassUAC` `Invoke-Whisker` `Invoke-WinEnum` `Invoke-WireTap` `Invoke-WmiCommand` `Invoke-Zerologon` `Invoke-winPEAS` `MailRaider` `New-ADIDNSNode` `New-DNSRecordArray` `New-HoneyHash` `New-InMemoryModule` `New-MachineAccount` `New-SOASerialNumberArray` `Out-Minidump` `Port-Scan` `PowerBreach` `PowerUp` `PowerView` `Remove-ADIDNSNode` `Remove-MachineAccount` `Remove-Update` `Rename-ADIDNSNode` `Revoke-ADIDNSPermission` `Set-ADIDNSNode` `Set-MacAttribute` `Set-MachineAccountAttribute` `Set-Wallpaper` `Show-TargetScreen` `Start-CaptureServer` `Start-Dnscat2` `Start-WebcamRecorder` `Veeam-Get-Creds` `VolumeShadowCopyTools` `powercat`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Malicious PowerShell Commandlets - ProcessCreation

MITRE ATT&CK coverage

Event coverage

Rule body yaml

Stages and Predicates

Stage 0: `condition`

Stage 1: `selection`

Indicators

Keyboard shortcuts

Search operators

Malicious PowerShell Commandlets - ProcessCreation

MITRE ATT&CK coverage

Event coverage

Rule body yaml

Stages and Predicates

Stage 0: condition

Stage 1: selection

Indicators

Stage 0: `condition`

Stage 1: `selection`