kqlElastic-2.0from elastic/detection-rules

PowerShell Invoke-NinjaCopy script

Quality

FP risk

—

Forks

Views

ATT&CK techniques

T1003 T1003.002 T1003.003 T1003.004 T1003.005 T1059 T1059.001 T1006

Rule sourcerules/windows/credential_access_posh_invoke_ninjacopy.toml

event.category:process and host.os.type:windows and
  powershell.file.script_block_text : (
    "StealthReadFile" or
    "StealthReadFileAddr" or
    "StealthCloseFileDelegate" or
    "StealthOpenFile" or
    "StealthCloseFile" or
    "StealthReadFile" or
    "Invoke-NinjaCopy"
   )
  and not user.id : "S-1-5-18"
  and not powershell.file.script_block_text : (
    "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
  )