Add More Malicious PowerShell Script/Cmdlet Names

rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml

@@ -2,14 +2,18 @@ title: Malicious PowerShell Commandlet Names
 id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
 status: test
 description: Detects the creation of known powershell scripts for exploitation
-author: Markus Neis
+author: Markus Neis, Nasreddine Bencherchali
 references:
   - https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
   - https://github.com/PowerShellMafia/PowerSploit
   - https://github.com/NetSPI/PowerUpSQL
   - https://github.com/CsEnox/EventViewer-UACBypass
+  - https://github.com/AlsidOfficial/WSUSpendu/
+  - https://github.com/nettitude/Invoke-PowerThIEf
+  - https://github.com/S3cur3Th1sSh1t/WinPwn
+  - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
 date: 2018/04/07
-modified: 2022/05/13
+modified: 2022/05/20
 logsource:
   category: file_event
   product: windows
@@ -117,6 +121,87 @@ detection:
       - '\Get-GPPAutologon.ps1'
       - '\Get-MicrophoneAudio.ps1'
       - '\Invoke-EventViewer.ps1'
+      - '\WSUSpendu.ps1'
+      - '\Invoke-PowerThIEf.ps1'
+      - '\WinPwn.ps1'
+      - '\Offline_Winpwn.ps1'
+      - '\PowerSharpPack.ps1'
+      - '\Invoke-BadPotato.ps1'
+      - '\Invoke-BetterSafetyKatz.ps1'
+      - '\Invoke-Carbuncle.ps1'
+      - '\Invoke-Certify.ps1'
+      - '\Invoke-DAFT.ps1'
+      - '\Invoke-DinvokeKatz.ps1'
+      - '\Invoke-Eyewitness.ps1'
+      - '\Invoke-FakeLogonScreen.ps1'
+      - '\Invoke-Farmer.ps1'
+      - '\Invoke-Get-RBCD-Threaded.ps1'
+      - '\Invoke-Gopher.ps1'
+      - '\Invoke-Grouper2.ps1'
+      - '\Invoke-HandleKatz.ps1'
+      - '\Invoke-Internalmonologue.ps1'
+      - '\Invoke-KrbRelayUp.ps1'
+      - '\Invoke-LdapSignCheck.ps1'
+      - '\Invoke-Lockless.ps1'
+      - '\Invoke-MITM6.ps1'
+      - '\Invoke-NanoDump.ps1'
+      - '\Invoke-OxidResolver.ps1'
+      - '\Invoke-P0wnedshell.ps1'
+      - '\Invoke-P0wnedshellx86.ps1'
+      - '\Invoke-PPLDump.ps1'
+      - '\Invoke-Rubeus.ps1'
+      - '\Invoke-SCShell.ps1'
+      - '\Invoke-SafetyKatz.ps1'
+      - '\Invoke-SauronEye.ps1'
+      - '\Invoke-Seatbelt.ps1'
+      - '\Invoke-SharPersist.ps1'
+      - '\Invoke-SharpAllowedToAct.ps1'
+      - '\Invoke-SharpBlock.ps1'
+      - '\Invoke-SharpBypassUAC.ps1'
+      - '\Invoke-SharpChromium.ps1'
+      - '\Invoke-SharpClipboard.ps1'
+      - '\Invoke-SharpCloud.ps1'
+      - '\Invoke-SharpDPAPI.ps1'
+      - '\Invoke-SharpDump.ps1'
+      - '\Invoke-SharpGPO-RemoteAccessPolicies.ps1'
+      - '\Invoke-SharpGPOAbuse.ps1'
+      - '\Invoke-SharpHandler.ps1'
+      - '\Invoke-SharpHide.ps1'
+      - '\Invoke-SharpHound4.ps1'
+      - '\Invoke-SharpImpersonation.ps1'
+      - '\Invoke-SharpImpersonationNoSpace.ps1'
+      - '\Invoke-SharpKatz.ps1'
+      - '\Invoke-SharpLdapRelayScan.ps1'
+      - '\Invoke-SharpLoginPrompt.ps1'
+      - '\Invoke-SharpMove.ps1'
+      - '\Invoke-SharpPrintNightmare.ps1'
+      - '\Invoke-SharpPrinter.ps1'
+      - '\Invoke-SharpRDP.ps1'
+      - '\Invoke-SharpSSDP.ps1'
+      - '\Invoke-SharpSecDump.ps1'
+      - '\Invoke-SharpSniper.ps1'
+      - '\Invoke-SharpSploit.ps1'
+      - '\Invoke-SharpSpray.ps1'
+      - '\Invoke-SharpStay.ps1'
+      - '\Invoke-SharpUp.ps1'
+      - '\Invoke-SharpWatson.ps1'
+      - '\Invoke-Sharphound2.ps1'
+      - '\Invoke-Sharphound3.ps1'
+      - '\Invoke-Sharplocker.ps1'
+      - '\Invoke-Sharpshares.ps1'
+      - '\Invoke-Sharpsploit_nomimi.ps1'
+      - '\Invoke-Sharpview.ps1'
+      - '\Invoke-Sharpweb.ps1'
+      - '\Invoke-Snaffler.ps1'
+      - '\Invoke-Spoolsample.ps1'
+      - '\Invoke-StandIn.ps1'
+      - '\Invoke-StickyNotesExtract.ps1'
+      - '\Invoke-Thunderfox.ps1'
+      - '\Invoke-Tokenvator.ps1'
+      - '\Invoke-UrbanBishop.ps1'
+      - '\Invoke-Whisker.ps1'
+      - '\Invoke-WireTap.ps1'
+      - '\Invoke-winPEAS.ps1'
   condition: selection
 falsepositives:
   - Unknown

rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml

@@ -4,12 +4,13 @@ status: experimental
 description: Detects Commandlet names from well-known PowerShell exploitation frameworks
 references:
     - https://adsecurity.org/?p=2921
+    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
 tags:
     - attack.execution
     - attack.t1059.001
-author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update)
+author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update)
 date: 2017/03/05
-modified: 2021/11/29
+modified: 2022/05/20
 logsource:
     product: windows
     category: ps_script
@@ -112,6 +113,80 @@ detection:
             - 'Invoke-SMBScanner'
             - 'Invoke-Mimikittenz'
             - 'Invoke-AllChecks'
+            - 'Invoke-BadPotato'
+            - 'Invoke-BetterSafetyKatz'
+            - 'Invoke-Carbuncle'
+            - 'Invoke-Certify'
+            - 'Invoke-DAFT'
+            - 'Invoke-DinvokeKatz'
+            - 'Invoke-Eyewitness'
+            - 'Invoke-FakeLogonScreen'
+            - 'Invoke-Farmer'
+            - 'Invoke-Get-RBCD-Threaded'
+            - 'Invoke-Gopher'
+            - 'Invoke-Grouper2'
+            - 'Invoke-HandleKatz'
+            - 'Invoke-Internalmonologue'
+            - 'Invoke-KrbRelayUp'
+            - 'Invoke-LdapSignCheck'
+            - 'Invoke-Lockless'
+            - 'Invoke-MITM6'
+            - 'Invoke-NanoDump'
+            - 'Invoke-OxidResolver'
+            - 'Invoke-P0wnedshell'
+            - 'Invoke-PPLDump'
+            - 'Invoke-Rubeus'
+            - 'Invoke-SCShell'
+            - 'Invoke-SafetyKatz'
+            - 'Invoke-SauronEye'
+            - 'Invoke-Seatbelt'
+            - 'Invoke-SharPersist'
+            - 'Invoke-SharpAllowedToAct'
+            - 'Invoke-SharpBlock'
+            - 'Invoke-SharpBypassUAC'
+            - 'Invoke-SharpChromium'
+            - 'Invoke-SharpClipboard'
+            - 'Invoke-SharpCloud'
+            - 'Invoke-SharpDPAPI'
+            - 'Invoke-SharpDump'
+            - 'Invoke-SharpGPO-RemoteAccessPolicies'
+            - 'Invoke-SharpGPOAbuse'
+            - 'Invoke-SharpHandler'
+            - 'Invoke-SharpHide'
+            - 'Invoke-SharpHound4'
+            - 'Invoke-SharpImpersonation'
+            - 'Invoke-SharpImpersonationNoSpace'
+            - 'Invoke-SharpKatz'
+            - 'Invoke-SharpLdapRelayScan'
+            - 'Invoke-SharpLoginPrompt'
+            - 'Invoke-SharpMove'
+            - 'Invoke-SharpPrintNightmare'
+            - 'Invoke-SharpPrinter'
+            - 'Invoke-SharpRDP'
+            - 'Invoke-SharpSSDP'
+            - 'Invoke-SharpSecDump'
+            - 'Invoke-SharpSniper'
+            - 'Invoke-SharpSploit'
+            - 'Invoke-SharpSpray'
+            - 'Invoke-SharpStay'
+            - 'Invoke-SharpUp'
+            - 'Invoke-SharpWatson'
+            - 'Invoke-Sharphound2'
+            - 'Invoke-Sharphound3'
+            - 'Invoke-Sharplocker'
+            - 'Invoke-Sharpshares'
+            - 'Invoke-Sharpview'
+            - 'Invoke-Sharpweb'
+            - 'Invoke-Snaffler'
+            - 'Invoke-Spoolsample'
+            - 'Invoke-StandIn'
+            - 'Invoke-StickyNotesExtract'
+            - 'Invoke-Thunderfox'
+            - 'Invoke-Tokenvator'
+            - 'Invoke-UrbanBishop'
+            - 'Invoke-Whisker'
+            - 'Invoke-WireTap'
+            - 'Invoke-winPEAS'
     false_positives:
         ScriptBlockText|contains:
             - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1