Add More Malicious PowerShell Script/Cmdlet Names

rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml

@@ -4,12 +4,13 @@ status: experimental
 description: Detects Commandlet names from well-known PowerShell exploitation frameworks
 references:
     - https://adsecurity.org/?p=2921
+    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
 tags:
     - attack.execution
     - attack.t1059.001
-author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update)
+author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update)
 date: 2017/03/05
-modified: 2021/11/29
+modified: 2022/05/20
 logsource:
     product: windows
     category: ps_script
@@ -112,6 +113,80 @@ detection:
             - 'Invoke-SMBScanner'
             - 'Invoke-Mimikittenz'
             - 'Invoke-AllChecks'
+            - 'Invoke-BadPotato'
+            - 'Invoke-BetterSafetyKatz'
+            - 'Invoke-Carbuncle'
+            - 'Invoke-Certify'
+            - 'Invoke-DAFT'
+            - 'Invoke-DinvokeKatz'
+            - 'Invoke-Eyewitness'
+            - 'Invoke-FakeLogonScreen'
+            - 'Invoke-Farmer'
+            - 'Invoke-Get-RBCD-Threaded'
+            - 'Invoke-Gopher'
+            - 'Invoke-Grouper2'
+            - 'Invoke-HandleKatz'
+            - 'Invoke-Internalmonologue'
+            - 'Invoke-KrbRelayUp'
+            - 'Invoke-LdapSignCheck'
+            - 'Invoke-Lockless'
+            - 'Invoke-MITM6'
+            - 'Invoke-NanoDump'
+            - 'Invoke-OxidResolver'
+            - 'Invoke-P0wnedshell'
+            - 'Invoke-PPLDump'
+            - 'Invoke-Rubeus'
+            - 'Invoke-SCShell'
+            - 'Invoke-SafetyKatz'
+            - 'Invoke-SauronEye'
+            - 'Invoke-Seatbelt'
+            - 'Invoke-SharPersist'
+            - 'Invoke-SharpAllowedToAct'
+            - 'Invoke-SharpBlock'
+            - 'Invoke-SharpBypassUAC'
+            - 'Invoke-SharpChromium'
+            - 'Invoke-SharpClipboard'
+            - 'Invoke-SharpCloud'
+            - 'Invoke-SharpDPAPI'
+            - 'Invoke-SharpDump'
+            - 'Invoke-SharpGPO-RemoteAccessPolicies'
+            - 'Invoke-SharpGPOAbuse'
+            - 'Invoke-SharpHandler'
+            - 'Invoke-SharpHide'
+            - 'Invoke-SharpHound4'
+            - 'Invoke-SharpImpersonation'
+            - 'Invoke-SharpImpersonationNoSpace'
+            - 'Invoke-SharpKatz'
+            - 'Invoke-SharpLdapRelayScan'
+            - 'Invoke-SharpLoginPrompt'
+            - 'Invoke-SharpMove'
+            - 'Invoke-SharpPrintNightmare'
+            - 'Invoke-SharpPrinter'
+            - 'Invoke-SharpRDP'
+            - 'Invoke-SharpSSDP'
+            - 'Invoke-SharpSecDump'
+            - 'Invoke-SharpSniper'
+            - 'Invoke-SharpSploit'
+            - 'Invoke-SharpSpray'
+            - 'Invoke-SharpStay'
+            - 'Invoke-SharpUp'
+            - 'Invoke-SharpWatson'
+            - 'Invoke-Sharphound2'
+            - 'Invoke-Sharphound3'
+            - 'Invoke-Sharplocker'
+            - 'Invoke-Sharpshares'
+            - 'Invoke-Sharpview'
+            - 'Invoke-Sharpweb'
+            - 'Invoke-Snaffler'
+            - 'Invoke-Spoolsample'
+            - 'Invoke-StandIn'
+            - 'Invoke-StickyNotesExtract'
+            - 'Invoke-Thunderfox'
+            - 'Invoke-Tokenvator'
+            - 'Invoke-UrbanBishop'
+            - 'Invoke-Whisker'
+            - 'Invoke-WireTap'
+            - 'Invoke-winPEAS'
     false_positives:
         ScriptBlockText|contains:
             - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1