--- title: PowerShell Invoke-NinjaCopy script description: Detects PowerShell script block content containing Invoke-NinjaCopy or related Stealth* functions used for direct volume file access. Attackers use NinjaCopy... url: https://www.elastic.co/elastic/docs-builder/docs/3466/reference/security/prebuilt-rules/rules/windows/credential_access_posh_invoke_ninjacopy products: - Elastic Security --- # PowerShell Invoke-NinjaCopy script Detects PowerShell script block content containing Invoke-NinjaCopy or related Stealth* functions used for direct volume file access. Attackers use NinjaCopy to read locked system files such as NTDS.dit or registry hives for credential dumping. **Rule type**: query **Rule indices**: - logs-windows.powershell* - winlogbeat-* **Rule Severity**: high **Risk Score**: 73 **Runs every**: **Searches indices from**: `now-9m` **Maximum alerts per execution**: 100 **References**: - [[https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1](https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1)](https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1) **Tags**: - Domain: Endpoint - OS: Windows - Use Case: Threat Detection - Tactic: Credential Access - Data Source: PowerShell Logs - Resources: Investigation Guide **Version**: 113 **Rule authors**: - Elastic **Rule license**: Elastic License v2 ## Setup PowerShell Script Block Logging must be enabled to generate the events used by this rule (e.g., 4104). Setup instructions: [https://ela.st/powershell-logging-setup](https://ela.st/powershell-logging-setup) ## Investigation guide ## Triage and analysis ### Investigating PowerShell Invoke-NinjaCopy script #### Possible investigation steps - Does the alert-preserved script content show active NinjaCopy direct-volume access rather than inert reference text? - Focus: `powershell.file.script_block_text`, `powershell.file.script_block_length`, and file-backed `file.path` or `file.name`. - Implication: escalate sooner when the fragment shows `Invoke-NinjaCopy`, `StealthOpenFile`, `StealthReadFile`, credential-store targets, output destinations, or cleanup logic; lower concern only for inert example or recognized validation content that later recovery does not contradict. - Does full script reconstruction reveal target, destination, or cleanup behavior that the matching fragment did not show? - Why: Script Block Logging can split one script across events; later fragments often contain output paths, loops, or cleanup logic that change urgency. - Focus: reconstruct on `host.id` + `powershell.file.script_block_id`, ordering by `powershell.sequence` / `powershell.total`; read `powershell.file.script_block_text` for "-Path", "-ComputerName", "-LocalDestination", or "-RemoteDestination". $investigate_2 - Hint: if `powershell.sequence` is missing or never reaches `powershell.total`, record the gap before treating the script as understood. - Implication: escalate when reconstruction adds remote targets, credential stores (`NTDS.dit`, `SAM`, `SYSTEM`, `SECURITY`), temp/share destinations, large copy buffers, archive paths, encoding, or delete-after-copy logic; lower concern when the full script is confirmed lab, forensic, or validation content with no hostile follow-on behavior. - Does the script provenance and reconstructed target fit a recognized workflow? - Focus: `file.path`, `file.name`, `user.id`, `host.id`, and reconstructed "-Path", "-ComputerName", "-LocalDestination", or "-RemoteDestination". - Hint: if `file.path` is absent, treat content as inline, generated, interactive, or remote; do not close on path absence alone. - Implication: escalate when source is temp, downloads, or user-writable shares, or parameters name remote servers, `NTDS.dit`, registry hives, or staging destinations; lower concern when source, targets, and destinations match one recognized forensic, IR, lab, or validation workflow. - Do surrounding script blocks from the same user and host show staging, retries, or variant logic? - Focus: manually search the same execution window for `user.id`, `host.id`, `powershell.file.script_block_text`, and adjacent `powershell.file.script_block_id` values. - Hint: renamed wrappers may omit `Invoke-NinjaCopy`; still check `Stealth*` helpers and reconstructed target or destination values. - Implication: escalate when adjacent fragments show retries, renamed helpers, alternative raw-volume logic, output-file reuse, or follow-on compression and cleanup. - Can process telemetry recover the PowerShell process and explain how it was launched? - Focus: match the PowerShell PID on `host.id`, `process.pid`, and `@timestamp`; record `process.entity_id`, then interpret `process.command_line`, `process.parent.command_line`, and `process.Ext.token.integrity_level_name`. $investigate_3 - Hint: recover the matching process via `host.id + process.pid` before using `process.*` or `process.parent.*`. If no process start event appears, expand the window because PowerShell can predate the script block; if still absent, bound file review to `host.id`, `user.id`, `process.pid`, and alert time. - Implication: escalate when recovery shows encoded commands, remote-admin launchers, Office/browser ancestry, or unexpected high-integrity execution; unresolved process recovery does not make direct-volume script content benign. - Do file events confirm copied credential stores or staging artifacts? - Focus: endpoint file events scoped to `host.id`, `process.pid`, and alert time; review `file.path`, `file.directory`, and `file.name`. $investigate_4 - Implication: escalate when file activity confirms copied hives, `NTDS.dit`, archives, or renamed staging files; missing file telemetry is unresolved, not benign. - If the local script, launch, or artifact answers remain suspicious or unresolved, is this script block isolated, or part of broader suspicious activity for the same user or host? - Focus: related `user.id` alerts for repeated credential access, execution, or post-compromise behavior. $investigate_0 - Hint: compare `host.id` alerts for credential access, persistence, or staging. $investigate_1 - Implication: broaden scope when either view shows adjacent credential-access or post-compromise behavior; keep it local only when both are quiet and the local evidence fits one recognized workflow. - Escalate when script content, reconstruction, target parameters, launch context, or artifacts show unauthorized direct-volume access or credential-store targeting; close only when source path, targets, destinations, launch context, and artifacts align with one recognized forensic, IR, lab, or validation workflow; preserve and escalate if mixed or incomplete. ### False positive analysis - Recognized red-team, security-validation, forensic-acquisition, or IR workflows can legitimately include NinjaCopy-derived code. Confirm only when `powershell.file.script_block_text`, reconstructed targets/destinations, `file.path`, `user.id`, `host.id`, and recovered launch context align with the same workflow. If records are unavailable, prior recurrence can support but not replace local telemetry proof; first occurrences stay candidate exceptions. - Build exceptions from `user.id`, `host.id`, stable `file.path`, recovered parent-launch pattern when available, and the `powershell.file.script_block_text` pattern. Avoid exceptions on "Invoke-NinjaCopy", `user.name`, or host alone. ### Response and remediation - If confirmed benign, reverse containment and document the recognized workflow: `user.id`, `host.id`, `file.path`, `powershell.file.script_block_id`, recovered launch context, and reconstructed target or destination values. Create an exception only if the same pattern recurs across prior alerts. - If suspicious but unconfirmed, preserve reconstructed `powershell.file.script_block_text`, `powershell.file.script_block_id`, `powershell.sequence`, `process.pid`, recovered launch context, target or destination values, and `file.path` before cleanup. Apply reversible containment first; escalate to host isolation only if copied credential artifacts, staging, or broader post-compromise activity appears. - If confirmed malicious, preserve the reconstructed script, launch context, targets, destinations, copied stores, and related alerts first. Then use reversible endpoint response to isolate the host when needed; if unavailable, escalate with the preserved artifact set to the team that can act. Record all evidence before terminating processes or deleting files. - If "NTDS.dit", "SAM", "SYSTEM", or "SECURITY" targeting is confirmed with copied artifacts, follow the organization's credential-exposure playbook and prioritize privileged-account hygiene. - Before eradicating, review related hosts for the same script pattern, `file.path` destinations, and recovered parent-launch pattern. Then remove unauthorized scripts, copied stores, archives, and persistence mechanisms and remediate the delivery path. - Post-incident hardening: restrict direct-volume-copy tooling to controlled acquisition hosts, retain PowerShell Script Block Logging and endpoint file/process telemetry, and document the recognized workflow pattern for future analysts. ## Rule Query ```kuery event.category:process and host.os.type:windows and powershell.file.script_block_text : ( "StealthReadFile" or "StealthReadFileAddr" or "StealthCloseFileDelegate" or "StealthOpenFile" or "StealthCloseFile" or "Invoke-NinjaCopy" ) and not powershell.file.script_block_text : ( "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" ) ``` **Framework:** MITRE ATT&CK - Tactic: - Name: Credential Access - Id: TA0006 - Reference URL: [[https://attack.mitre.org/tactics/TA0006/](https://attack.mitre.org/tactics/TA0006/)](https://attack.mitre.org/tactics/TA0006/) - Technique: - Name: OS Credential Dumping - Id: T1003 - Reference URL: [[https://attack.mitre.org/techniques/T1003/](https://attack.mitre.org/techniques/T1003/)](https://attack.mitre.org/techniques/T1003/) - Sub Technique: - Name: Security Account Manager - Id: T1003.002 - Reference URL: [[https://attack.mitre.org/techniques/T1003/002/](https://attack.mitre.org/techniques/T1003/002/)](https://attack.mitre.org/techniques/T1003/002/) - Sub Technique: - Name: NTDS - Id: T1003.003 - Reference URL: [[https://attack.mitre.org/techniques/T1003/003/](https://attack.mitre.org/techniques/T1003/003/)](https://attack.mitre.org/techniques/T1003/003/) - Sub Technique: - Name: LSA Secrets - Id: T1003.004 - Reference URL: [[https://attack.mitre.org/techniques/T1003/004/](https://attack.mitre.org/techniques/T1003/004/)](https://attack.mitre.org/techniques/T1003/004/) - Sub Technique: - Name: Cached Domain Credentials - Id: T1003.005 - Reference URL: [[https://attack.mitre.org/techniques/T1003/005/](https://attack.mitre.org/techniques/T1003/005/)](https://attack.mitre.org/techniques/T1003/005/) **Framework:** MITRE ATT&CK - Tactic: - Name: Execution - Id: TA0002 - Reference URL: [[https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/)](https://attack.mitre.org/tactics/TA0002/) - Technique: - Name: Command and Scripting Interpreter - Id: T1059 - Reference URL: [[https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)](https://attack.mitre.org/techniques/T1059/) - Sub Technique: - Name: PowerShell - Id: T1059.001 - Reference URL: [[https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)](https://attack.mitre.org/techniques/T1059/001/) **Framework:** MITRE ATT&CK - Tactic: - Name: Defense Evasion - Id: TA0005 - Reference URL: [[https://attack.mitre.org/tactics/TA0005/](https://attack.mitre.org/tactics/TA0005/)](https://attack.mitre.org/tactics/TA0005/) - Technique: - Name: Direct Volume Access - Id: T1006 - Reference URL: [[https://attack.mitre.org/techniques/T1006/](https://attack.mitre.org/techniques/T1006/)](https://attack.mitre.org/techniques/T1006/)