From 7f067f7273b8f2df4dd8c341d18bcf050b2c4fb6 Mon Sep 17 00:00:00 2001
From: G Y <35021368+leegengyu@users.noreply.github.com>
Date: Sat, 3 Jul 2021 11:07:11 +0800
Subject: [PATCH 1/3] Update powershell_powerview_malicious_commandlets.yml

Added new commandlet names based on aliases seen in https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1, fixed a typo, and improved formatting.
---
 ...rshell_powerview_malicious_commandlets.yml | 54 ++++++++++++++++++-
 1 file changed, 52 insertions(+), 2 deletions(-)

diff --git a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml
index c442d4fae..f0ab947aa 100644
--- a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml
@@ -1,12 +1,13 @@
 title: Malicious PowerView PowerShell Commandlets
 id: dcd74b95-3f36-4ed9-9598-0490951643aa
 status: experimental
-description: Detects Commandlet names from PowerView of PowerSploit exploitation framework
+description: Detects Commandlet names from PowerView of PowerSploit exploitation framework.
 date: 2021/05/18
 references:
     - https://powersploit.readthedocs.io/en/stable/Recon/README
     - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
     - https://thedfirreport.com/2020/10/08/ryuks-return
+    - https://adsecurity.org/?p=2277
 tags:
     - attack.execution
     - attack.t1059.001
@@ -14,13 +15,15 @@ author: Bhabesh Raj
 logsource:
     product: windows
     service: powershell
-    definition: It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277
+    definition: It is recommended to use the new "Script Block Logging" of PowerShell v5.
 detection:
   selection:
       EventID: 4104
       ScriptBlockText:
         - Export-PowerViewCSV
+        - Get-IPAddress
         - Resolve-IPAddress
+        - Convert-NameToSid
         - ConvertTo-SID
         - Convert-ADName
         - ConvertFrom-UACValue
@@ -28,41 +31,69 @@ detection:
         - Remove-RemoteConnection
         - Invoke-UserImpersonation
         - Invoke-RevertToSelf
+        - Request-SPNTicket
         - Get-DomainSPNTicket
         - Invoke-Kerberoast
         - Get-PathAcl
+        - Get-DNSZone
         - Get-DomainDNSZone
+        - Get-DNSRecord
         - Get-DomainDNSRecord
+        - Get-NetDomain
         - Get-Domain
+        - Get-NetDomainController
         - Get-DomainController
+        - Get-NetForest
         - Get-Forest
+        - Get-NetForestDomain
         - Get-ForestDomain
+        - Get-NetForestCatalog
         - Get-ForestGlobalCatalog
         - Find-DomainObjectPropertyOutlier
+        - Get-NetUser
         - Get-DomainUser
         - New-DomainUser
         - Set-DomainUserPassword
+        - Get-UserEvent
         - Get-DomainUserEvent
+        - Get-NetComputer
         - Get-DomainComputer
+        - Get-ADObject
         - Get-DomainObject
+        - Set-ADObject
         - Set-DomainObject
+        - Get-ObjectAcl
         - Get-DomainObjectAcl
+        - Add-ObjectAcl
         - Add-DomainObjectAcl
+        - Invoke-ACLScanner
         - Find-InterestingDomainAcl
+        - Get-NetOU
         - Get-DomainOU
+        - Get-NetSite
         - Get-DomainSite
+        - Get-NetSubnet
         - Get-DomainSubnet
         - Get-DomainSID
+        - Get-NetGroup
         - Get-DomainGroup
         - New-DomainGroup
+        - Find-ManagedSecurityGroups
         - Get-DomainManagedSecurityGroup
+        - Get-NetGroupMember
         - Get-DomainGroupMember
         - Add-DomainGroupMember
+        - Get-NetFileServer
         - Get-DomainFileServer
+        - Get-DFSshare
         - Get-DomainDFSShare
+        - Get-NetGPO
         - Get-DomainGPO
+        - Get-NetGPOGroup
         - Get-DomainGPOLocalGroup
+        - Find-GPOLocation
         - Get-DomainGPOUserLocalGroupMapping
+        - Find-GPOComputerAdmin
         - Get-DomainGPOComputerLocalGroupMapping
         - Get-DomainPolicy
         - Get-NetLocalGroup
@@ -70,27 +101,46 @@ detection:
         - Get-NetShare
         - Get-NetLoggedon
         - Get-NetSession
+        - Get-LoggedOnLocal
         - Get-RegLoggedOn
         - Get-NetRDPSession
+        - Invoke-CheckLocalAdminAccess
         - Test-AdminAccess
+        - Get-SiteName
         - Get-NetComputerSiteName
+        - Get-Proxy
         - Get-WMIRegProxy
+        - Get-LastLoggedOn
         - Get-WMIRegLastLoggedOn
+        - Get-CachedRDPConnection
         - Get-WMIRegCachedRDPConnection
+        - Get-RegistryMountedDrive
         - Get-WMIRegMountedDrive
+        - Get-NetProcess
         - Get-WMIProcess
         - Find-InterestingFile
+        - Invoke-UserHunter
         - Find-DomainUserLocation
+        - Invoke-ProcessHunter
         - Find-DomainProcess
+        - Invoke-EventHunter
         - Find-DomainUserEvent
+        - Invoke-ShareFinder
         - Find-DomainShare
+        - Invoke-FileFinder
         - Find-InterestingDomainShareFile
         - Find-LocalAdminAccess
+        - Invoke-EnumerateLocalAdmin
         - Find-DomainLocalGroupMember
+        - Get-NetDomainTrust
         - Get-DomainTrust
+        - Get-NetForestTrust
         - Get-ForestTrust
+        - Find-ForeignUser
         - Get-DomainForeignUser
+        = Find-ForeignGroup
         - Get-DomainForeignGroupMember
+        - Invoke-MapDomainTrust
         - Get-DomainTrustMapping
   condition: selection
 falsepositives:

From 2d0cdc16fcd9b9abfd02e8b912d82a409d1510ba Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 3 Jul 2021 13:19:14 +0200
Subject: [PATCH 2/3] added modified date

---
 .../powershell/powershell_powerview_malicious_commandlets.yml    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml
index f0ab947aa..278fea5a0 100644
--- a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml
@@ -3,6 +3,7 @@ id: dcd74b95-3f36-4ed9-9598-0490951643aa
 status: experimental
 description: Detects Commandlet names from PowerView of PowerSploit exploitation framework.
 date: 2021/05/18
+modified: 2021/07/02
 references:
     - https://powersploit.readthedocs.io/en/stable/Recon/README
     - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

From e7144b34ee6ae2780b71644f525e76a91c779fd8 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 3 Jul 2021 13:19:56 +0200
Subject: [PATCH 3/3] fix: bug in syntax

---
 .../powershell/powershell_powerview_malicious_commandlets.yml   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml
index 278fea5a0..b98fbb4cb 100644
--- a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml
@@ -139,7 +139,7 @@ detection:
         - Get-ForestTrust
         - Find-ForeignUser
         - Get-DomainForeignUser
-        = Find-ForeignGroup
+        - Find-ForeignGroup
         - Get-DomainForeignGroupMember
         - Invoke-MapDomainTrust
         - Get-DomainTrustMapping