rules/ml/execution_ml_windows_anomalous_script.toml

[metadata]
creation_date = "2020/03/25"
maturity = "production"
updated_date = "2023/03/06"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"

[rule]
anomaly_threshold = 50
author = ["Elastic"]
description = """
A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be
a characteristic of malicious PowerShell script text blocks.
"""
false_positives = [
    """
    Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or
    have unusual script block payloads may trigger this alert.
    """,
]
from = "now-45m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = ["v3_windows_anomalous_script"]
name = "Suspicious Powershell Script"
references = [
    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"]
risk_score = 21
rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Execution"]
type = "machine_learning"

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"


    [[rule.threat.technique.subtechnique]]
    id = "T1059.001"
    name = "PowerShell"
    reference = "https://attack.mitre.org/techniques/T1059/001/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Populate rules/ directory. 2020-06-29 22:57:00 -06:00			`[metadata]`
			`creation_date = "2020/03/25"`
			`maturity = "production"`
[Security Content] Expand Abbreviated Tags (#2414 ) 2023-03-06 17:37:52 -03:00			`updated_date = "2023/03/06"`
min_stack all rules to 8.3 (#2259 ) 2022-08-24 10:38:49 -06:00			`min_stack_comments = "New fields added: required_fields, related_integrations, setup"`
Modifying rules assoc w/ deprecation of v2 ML jobs (#1846 ) 2022-05-20 15:02:27 -05:00			`min_stack_version = "8.3.0"`
Populate rules/ directory. 2020-06-29 22:57:00 -06:00
			`[rule]`
			`anomaly_threshold = 50`
			`author = ["Elastic"]`
			`description = """`
			`A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be`
			`a characteristic of malicious PowerShell script text blocks.`
			`"""`
			`false_positives = [`
			`"""`
Update terminology in ML job rules 2020-07-14 23:21:46 -04:00			`Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or`
			`have unusual script block payloads may trigger this alert.`
Populate rules/ directory. 2020-06-29 22:57:00 -06:00			`""",`
			`]`
			`from = "now-45m"`
			`interval = "15m"`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00			`license = "Elastic License v2"`
Modifying rules assoc w/ deprecation of v2 ML jobs (#1846 ) 2022-05-20 15:02:27 -05:00			`machine_learning_job_id = ["v3_windows_anomalous_script"]`
Populate rules/ directory. 2020-06-29 22:57:00 -06:00			`name = "Suspicious Powershell Script"`
[Rule Tuning] Link Elastic Security Labs content to compatible rules (#2388 ) 2022-11-07 15:17:49 -05:00			`references = [`
			`"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",`
			`"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"]`
Populate rules/ directory. 2020-06-29 22:57:00 -06:00			`risk_score = 21`
			`rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6"`
			`severity = "low"`
[Security Content] Expand Abbreviated Tags (#2414 ) 2023-03-06 17:37:52 -03:00			`tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Execution"]`
Populate rules/ directory. 2020-06-29 22:57:00 -06:00			`type = "machine_learning"`

[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 ) 2022-07-22 14:30:34 -04:00			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1059"`
			`name = "Command and Scripting Interpreter"`
			`reference = "https://attack.mitre.org/techniques/T1059/"`


			`[[rule.threat.technique.subtechnique]]`
			`id = "T1059.001"`
			`name = "PowerShell"`
			`reference = "https://attack.mitre.org/techniques/T1059/001/"`


			`[rule.threat.tactic]`
			`id = "TA0002"`
			`name = "Execution"`
			`reference = "https://attack.mitre.org/tactics/TA0002/"`