From 26583da2ea985348ad29e6fd5afc5bf0c2830ae0 Mon Sep 17 00:00:00 2001
From: tuan <tuanhxh1@gmail.com>
Date: Fri, 21 Apr 2023 15:41:27 +0700
Subject: [PATCH] Update Script Block Text When Run Phant0m Script

---
 .../powershell/powershell_script/posh_ps_susp_keywords.yml  | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml
index 9e7a60869..03ea34346 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml
@@ -7,9 +7,9 @@ references:
     - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1
     - https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1
     - https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
-author: Florian Roth (Nextron Systems), Perez Diego (@darkquassar)
+author: Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)
 date: 2019/02/11
-modified: 2023/01/02
+modified: 2023/04/21
 tags:
     - attack.execution
     - attack.t1059.001
@@ -25,6 +25,8 @@ detection:
             - '[Reflection.Assembly]::Load($'
             - 'System.Reflection.AssemblyName'
             - 'Reflection.Emit.AssemblyBuilderAccess'
+            - 'Reflection.Emit.CustomAttributeBuilder'
+            - 'Runtime.InteropServices.UnmanagedType'
             - 'Runtime.InteropServices.DllImportAttribute'
             - 'SuspendThread'
             - 'rundll32'