feat: various new hktl rules

rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml

@@ -27,9 +27,12 @@ references:
     - https://github.com/samratashok/nishang
     - https://github.com/DarkCoderSc/PowerRunAsSystem/
     - https://github.com/besimorhino/powercat
+    - https://github.com/Kevin-Robertson/Powermad
+    - https://github.com/adrecon/ADRecon
+    - https://github.com/adrecon/AzureADRecon
 author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
 date: 2017/03/05
-modified: 2023/03/06
+modified: 2023/04/17
 tags:
     - attack.execution
     - attack.discovery
@@ -210,6 +213,36 @@ detection:
             - 'Start-CaptureServer'
             - 'Start-WebcamRecorder'
             - 'VolumeShadowCopyTools'
+            # powermad
+            - 'Disable-ADIDNSNode'
+            - 'Disable-MachineAccount'
+            - 'Enable-ADIDNSNode'
+            - 'Enable-MachineAccount'
+            - 'Get-ADIDNS' # *NodeAttribute, *NodeOwner, *NodeTombstoned, *Permission, *Zone
+            - 'Get-KerberosAESKey'
+            - 'Get-MachineAccountAttribute'
+            - 'Get-MachineAccountCreator'
+            - 'Grant-ADIDNSPermission'
+            - 'Invoke-AgentSmith'
+            - 'Invoke-DNSUpdate'
+            - 'New-ADIDNSNode'
+            - 'New-DNSRecordArray'
+            - 'New-MachineAccount'
+            - 'New-SOASerialNumberArray'
+            - 'Remove-ADIDNSNode'
+            - 'Remove-MachineAccount'
+            - 'Rename-ADIDNSNode'
+            - 'Revoke-ADIDNSPermission'
+            - 'Set-ADIDNSNode' # *Set-ADIDNSNodeAttribute, *Set-ADIDNSNodeOwner
+            - 'Set-MachineAccountAttribute'
+            # ADRecon
+            - 'Invoke-ADRecon'
+            - 'Export-ADR'
+            - 'Export-ADRCSV'
+            - 'Export-ADRExcel'
+            - 'Export-ADRHTML'
+            - 'Export-ADRJSON'
+            - 'Export-ADRXML'
     filter_1:
         ScriptBlockText|contains:
             - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1