Malicious Nishang PowerShell Commandlets
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Malicious Nishang PowerShell Commandlets | Standard | Windows | Execution: Command and Scripting Interpreter - PowerShell (T1059.001) | Critical |
About the rule
Rule Type
Standard
Rule Description
Nishang is an open-source post-exploitation framework built in PowerShell that contains numerous offensive commandlets. These scripts can perform a wide range of malicious actions—from exfiltrating data and harvesting credentials to establishing backdoors and evading defenses. Attackers typically use Nishang after gaining access to a system to maintain persistence, escalate privileges, or steal sensitive information—all while staying within PowerShell to remain under the radar.
This rule detects the execution of commandlets known to be part of the Nishang framework by monitoring script block logs for specific function names or arguments.
Severity
Trouble
Rule journey
Attack chain scenario
Malicious USB drop → Execution of autorun payload → Backdoor installation using Nishang commandlet → Credential dumping → Data exfiltration via DNS tunneling
Impact
- Data theft
- Privilege escalation
- Stolen admin tokens
Rule Requirement
Prerequisites
Logon to Group Policy Management Console with administrative privileges and enable Module Logging for Windows PowerShell in the Group Policy Management Editor. Ensure to enter * in the Module Names window to record all modules. Similarly enable PowerShell Script Block Logging for Windows PowerShell. Finally, create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".
Criteria
Action1: actionname = "PowerShell Script Block Logged" AND SCRIPTEXECUTED contains "Add-ConstrainedDelegationBackdoor,Copy-VSS,Create-MultipleSessions,DataToEncode,DNS_TXT_Pwnage,Do-Exfiltration-Dns,Download_Execute,Download-Execute-PS,DownloadAndExtractFromRemoteRegistry,DumpCerts,DumpCreds,DumpHashes,Enable-DuplicateToken,Enable-Duplication,Execute-Command-MSSQL,Execute-DNSTXT-Code,Execute-OnTime,ExetoText,exfill,ExfilOption,FakeDC,FireBuster,FireListener,Get-Information " OR SCRIPTEXECUTED contains "Get-PassHints,Get-Web-Credentials,Get-WebCredentials,Get-WLAN-Keys,HTTP-Backdoor,Invoke-AmsiBypass,Invoke-BruteForce,Invoke-CredentialsPhish,Invoke-Decode,Invoke-Encode,Invoke-Interceptor,Invoke-JSRatRegsvr,Invoke-JSRatRundll,Invoke-MimikatzWDigestDowngrade,Invoke-NetworkRelay,Invoke-PowerShellIcmp,Invoke-PowerShellUdp,Invoke-Prasadhak,Invoke-PSGcat,Invoke-PsGcatAgent,Invoke-SessionGopher,Invoke-SSIDExfil,LoggedKeys,Nishang" OR SCRIPTEXECUTED contains "NotAllNameSpaces,Out-CHM,OUT-DNSTXT,Out-HTA,Out-RundllCommand,Out-SCF,Out-SCT,Out-Shortcut,Out-WebQuery,Out-Word,Parse_Keys,Password-List,Powerpreter,Remove-Persistence,Remove-PoshRat,Remove-Update,Run-EXEonRemote,Set-DCShadowPermissions,Set-RemotePSRemoting,Set-RemoteWMI,Shellcode32,Shellcode64,StringtoBase64,TexttoExe" select Action1.HOSTNAME,Action1.MESSAGE,Action1.SCRIPTEXECUTED
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Execution: Command and Scripting Interpreter - PowerShell (T1059.001)
Security standard:
Enabling this rule will help you meet the security standard's requirement listed below:
DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.
When this rule is triggered, you're notified of a PowerShell script block content for known Nishang-related keywords and functions.This enables you to monitor runtime environments like PowerShell.
Author
Alec Costello
Future actions
Known False Positives
This rule might be triggered in rare cases where legitimate red-team exercises or internal security testing tools utilize Nishang commandlets.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Audit PowerShell activities: Enable PowerShell Module Logging and Script Block Logging through Group Policy to capture full command context.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1049 | Implement antivirus or antimalware scanning to isolate suspicious files. | |
M1045 | Configure policies that allow PowerShell to execute only signed scripts. | |
M1042 | Restrict or disable PowerShell on systems where it is not required. | |
M1038 | Restrict the execution of scripts that contain sensitive language elements i.e., malicious codes using the PowerShell Constrained Language mode. | |
M1026 | Restrict privileges to execute PowerShell scripts to administrators and enforce limitations on the commands that can be executed via remote PowerShell sessions. |
