From f45587074b33d90956e4ff2d074a25ef2b4ab4a2 Mon Sep 17 00:00:00 2001
From: Alessio Dalla Piazza <alessio.dallapiazza@gmail.com>
Date: Mon, 23 Dec 2019 11:50:57 +0100
Subject: [PATCH] Add the ability to detect PowerUp - Invoke-AllChecks

PowerUp allow attackers to check if is possible to have a local privilege escalation attacks against Windows systems. The main function is called "Invoke-AllChecks" and check possible path of escalation.
---
 rules/windows/powershell/powershell_malicious_commandlets.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml
index 6b3f4fd0c..b2fb35698 100644
--- a/rules/windows/powershell/powershell_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_malicious_commandlets.yml
@@ -110,6 +110,7 @@ detection:
             - "*Invoke-ReverseDNSLookup*"
             - "*Invoke-SMBScanner*"
             - "*Invoke-Mimikittenz*"
+            - "*Invoke-AllChecks*"
     false_positives:
         - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
     condition: keywords and not false_positives