Skip to content
Threat Feed
high advisory

Detection of PowerShell HackTool Scripts by Author Attribution

This rule detects potential PowerShell HackTool scripts by identifying script block content containing known offensive-tool author handles or attribution strings, indicative of attackers using public tooling with minimal modifications.

This detection identifies PowerShell script block content containing known offensive-tool author handles or attribution strings. Attackers often utilize publicly available PowerShell tools with minimal modifications, inadvertently leaving author artifacts in comments or headers. This can provide valuable clues for detection. The rule focuses on script block logging within Windows environments, where PowerShell scripts are commonly executed. By monitoring for specific author handles and attribution strings, defenders can identify potentially malicious PowerShell scripts that may be indicative of unauthorized activity or the use of offensive tooling. The tactic is identifying use of open-source tools with minimal change.

Attack Chain

  1. An attacker gains initial access to a Windows system.
  2. The attacker executes a PowerShell script containing offensive tool author attribution strings.
  3. PowerShell Script Block Logging captures the script content.
  4. The detection rule identifies the presence of known author handles within the script block text.
  5. The script may perform reconnaissance activities, such as gathering system information or network configurations.
  6. The script may attempt to escalate privileges or move laterally within the network.
  7. The attacker may use the script to download and execute additional payloads.
  8. The final objective could be data exfiltration, system compromise, or the deployment of ransomware.

Impact

A successful attack leveraging publicly available PowerShell tools can lead to a range of impacts, from data theft and system compromise to full-scale ransomware deployment. The presence of author attribution strings suggests that the attacker may be relying on readily available tools and techniques, indicating a potentially lower skill level but also a broader scope of potential targets. The rule is focused around detection and would not have an impact in and of itself. Successful detection enables rapid incident response.

Recommendation

  • Enable PowerShell Script Block Logging to capture the events required for this detection (4104).
  • Deploy the Sigma rule provided in this brief to your SIEM and tune for your environment.
  • Investigate any alerts generated by this rule, focusing on the surrounding process context and network activity.

Detection coverage 2

PowerShell HackTool Script Block Detection by Author Attribution

high

Detects PowerShell script block content containing known offensive-tool author handles or attribution strings.

sigma tactics: execution techniques: T1059.001 sources: process_creation, windows

PowerShell HackTool Script Block Logging Detection by Author Attribution

high

Detects PowerShell Script Block Logging containing known offensive-tool author handles or attribution strings.

sigma tactics: execution techniques: T1059.001 sources: powershell_script, windows

Detection queries are kept inside the platform. Get full rules →