-
Notifications
You must be signed in to change notification settings - Fork 25
Expand file tree
/
Copy pathpowershell-patterns
More file actions
1 lines (1 loc) · 2.41 KB
/
powershell-patterns
File metadata and controls
1 lines (1 loc) · 2.41 KB
1
PWRSHELL \b((?i)Add-Exfiltration|Add-Persistence|Add-ScrnSaveBackdoorBase64ToString|Check-VM|Copy-VSS|Create-MultipleSessions|DNS_TXT_Pwnage|Discover-PSInterestingServices|Discover-PSMSExchangeServers|Discover-PSMSSQLServers|DllInjection|Invoke-Mimikatz|Do-Exfiltration|Download-Execute-PS|Download_Execute|Enable-DuplicateToken |EncodedCommand|Execute-Command-MSSQL|Execute-DNSTXT-Code|Execute-OnTime|Find-AVSignature|Find-PSServiceAccounts|Get-ApplicationHost|Get-GPPPassword|Get-Information|Get-KerberosPolicy|Get-Keystrokes|Get-LsaSecret|Get-PSADForestInfo|Get-PSADForestKRBTGTInfo|Get-PassHashes|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-ServiceEXEPerms|Get-ServicePerms|Get-ServiceUnquoted|Get-TimedScreenshot|Get-UnattendedInstallFiles|Get-VaultCredential|Get-Webconfig|Gupt-Backdoor|HTTP-Backdoor|Invoke--Shellcode|Invoke-ADSBackdoor|Invoke-AllChecks|Invoke-BruteForce|Invoke-CallbackIEX|Invoke-CreateCertificate|Invoke-CredentialInjection|Invoke-CredentialsPhish|Invo-Decode|Invoke-DllEncode|Invoke-Encode|Invoke-FindDLLHijack|Invoke-FindPathHijack|Invoke-MassCommand|Invoke-MassMimikatz|Invoke-MassSearch|Invoke-MassTemplate|Invoke-MassTokens|Invoke-MimikatzWDigestDngrade|Invoke-Mimikatz|Invoke-NetworkRelay|Invoke-NinjaCopy|Invoke-PSGcat|Invoke-PSInject|Invoke-PoshRatHttp|Invoke-PoshRatHttps|Invoke-PowerShellIcmp|Invoke-PowerShellTcp|Invoke-PowerShellUdp|Invoke-werShellWmi|Invoke-PsGcatAgent|Invoke-ServiceCMD|Invoke-ServiceDisable|Invoke-ServiceEnable|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceUserAdd|Invoke-Shellcode|Invoke-ShellcodeMSIL|Invoke-TonManipulation|Mimikatz|New-ElevatedPersistenceOption|Out-CHM|Out-Excel|Out-HTA|Out-Java|Out-Minidump|Out-Shortcut|Out-Word|Parse_Keys|Payload|Port-Scan|ReflectivePEInjection|Remove-Persistence|Remove-shRat|Remove-Update|Restore-ServiceEXE|Run-EXEonRemote|Set-ExecutionPolicy|Set-MasterBootRecord|StringtoBase64|TexttoEXE|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Write-UserAddMSI|Wre-UserAddServiceBinary|powercat|Get-ADReplAccount|Set-SamAccountPasswordHash|Get-ADReplBackupKey|Get-ADDBAccount|Get-BootKey|Set-BootKey|Get-ADDBBackupKey|Add-ADDBSidHistory|Set-ADDBPrimaryGroup|Get-ABDomainController|Set-ADDBDomainController|Get-ADDBSchemaAttribute|Remove-ADDBObject|ConvertTo-NTHash|ConvertTo-LMHash|ConvertTo-OrgIdHash|ConvertFrom-GPPrefPassword|ConvertTo-GPPrefPassword|ConvertFr-UnattendXmlPassword|ConvertTo-UnicodePassword|ConvertFrom-ADManagedPasswordBlob|)\b