Last active
January 10, 2024 13:58
-
-
Save nasbench/50cd0b64bedacabccecc9149c15228da to your computer and use it in GitHub Desktop.
List of suspicious strings used by PowerShell `SuspiciousContentChecker` function
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Source: System.Management.Automation.dll | |
| # This list is used to determin if a ScriptBlock contains potential suspicious content | |
| # If a match is found an automatic 4104 with a "warning" level is generated. | |
| # https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs | |
| - "Add-Type" | |
| - "AddSecurityPackage" | |
| - "AdjustTokenPrivileges" | |
| - "AllocHGlobal" | |
| - "BindingFlags" | |
| - "Bypass" | |
| - "CloseHandle" | |
| - "CreateDecryptor" | |
| - "CreateEncryptor" | |
| - "CreateProcessWithToken" | |
| - "CreateRemoteThread" | |
| - "CreateThread" | |
| - "CreateType" | |
| - "CreateUserThread" | |
| - "Cryptography" | |
| - "CryptoServiceProvider" | |
| - "CryptoStream" | |
| - "DangerousGetHandle" | |
| - "DeclaringMethod" | |
| - "DeclaringType" | |
| - "DefineConstructor" | |
| - "DefineDynamicAssembly" | |
| - "DefineDynamicModule" | |
| - "DefineEnum" | |
| - "DefineField" | |
| - "DefineLiteral" | |
| - "DefinePInvokeMethod" | |
| - "DefineType" | |
| - "DeflateStream" | |
| - "DeviceIoControl" | |
| - "DllImport" | |
| - "DuplicateTokenEx" | |
| - "Emit" | |
| - "EncodedCommand" | |
| - "EnumerateSecurityPackages" | |
| - "ExpandString" | |
| - "FreeHGlobal" | |
| - "FreeLibrary" | |
| - "FromBase64String" | |
| - "GetAssemblies" | |
| - "GetAsyncKeyState" | |
| - "GetConstructor" | |
| - "GetConstructors" | |
| - "GetDefaultMembers" | |
| - "GetDelegateForFunctionPointer" | |
| - "GetEvent" | |
| - "GetEvents" | |
| - "GetField" | |
| - "GetFields" | |
| - "GetForegroundWindow" | |
| - "GetInterface" | |
| - "GetInterfaceMap" | |
| - "GetInterfaces" | |
| - "GetKeyboardState" | |
| - "GetLogonSessionData" | |
| - "GetMember" | |
| - "GetMembers" | |
| - "GetMethod" | |
| - "GetMethods" | |
| - "GetModuleHandle" | |
| - "GetNestedType" | |
| - "GetNestedTypes" | |
| - "GetPowerShell" | |
| - "GetProcAddress" | |
| - "GetProcessHandle" | |
| - "GetProperties" | |
| - "GetProperty" | |
| - "GetTokenInformation" | |
| - "GetTypes" | |
| - "ILGenerator" | |
| - "ImpersonateLoggedOnUser" | |
| - "InteropServices" | |
| - "IntPtr" | |
| - "InvokeMember" | |
| - "kernel32" | |
| - "LoadLibrary" | |
| - "LogPipelineExecutionDetails" | |
| - "MakeArrayType" | |
| - "MakeByRefType" | |
| - "MakeGenericType" | |
| - "MakePointerType" | |
| - "Marshal" | |
| - "memcpy" | |
| - "MemoryStream" | |
| - "Methods" | |
| - "MiniDumpWriteDump" | |
| - "NonPublic" | |
| - "OpenDesktop" | |
| - "OpenProcess" | |
| - "OpenProcessToken" | |
| - "OpenThreadToken" | |
| - "OpenWindowStation" | |
| - "PasswordDeriveBytes" | |
| - "Properties" | |
| - "ProtectedEventLogging" | |
| - "PtrToString" | |
| - "PtrToStructure" | |
| - "ReadProcessMemory" | |
| - "ReflectedType" | |
| - "RevertToSelf" | |
| - "RijndaelManaged" | |
| - "ScriptBlockLogging" | |
| - "SetInformationProcess" | |
| - "SetThreadToken" | |
| - "SHA1Managed" | |
| - "StructureToPtr" | |
| - "ToBase64String" | |
| - "TransformFinalBlock" | |
| - "TypeHandle" | |
| - "TypeInitializer" | |
| - "UnderlyingSystemType" | |
| - "UnverifiableCodeAttribute" | |
| - "VirtualAlloc" | |
| - "VirtualFree" | |
| - "VirtualProtect" | |
| - "WriteByte" | |
| - "WriteInt32" | |
| - "WriteProcessMemory" | |
| - "ZeroFreeGlobalAllocUnicode" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment