diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml index 8a4a8498d..c75ebef9c 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["windows"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/14" [rule] author = ["Elastic"] @@ -107,6 +107,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.file.script_block_text, powershell.file.script_block_id, file.name, + file.directory, file.path, powershell.sequence, powershell.total, @@ -119,11 +120,16 @@ from logs-windows.powershell_operational* metadata _id, _version, _index // Filter for scripts that match the pattern at least 10 times | where Esql.script_block_pattern_count >= 10 -// Filter FPs, and due to the behavior of the like operator, allow null values -| where (file.name not like "TSS_*.psm1" or file.name is null) +| where file.name not like "TSS_*.psm1" + // ESQL requires this condition, otherwise it only returns matches where file.name exists. + or file.name is null // VSCode Shell integration | where not powershell.file.script_block_text like "*$([char]0x1b)]633*" + +| where not file.directory == "C:\\Program Files\\MVPSI\\JAMS\\Agent\\Temp" + // ESQL requires this condition, otherwise it only returns matches where file.directory exists. + or file.directory is null ''' diff --git a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml index c6f0ec60d..937eefa1b 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/14" [rule] author = ["Elastic"] @@ -108,6 +108,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index Esql.script_block_tmp, powershell.file.script_block_text, powershell.file.script_block_id, + file.directory, file.path, powershell.sequence, powershell.total, @@ -120,8 +121,15 @@ from logs-windows.powershell_operational* metadata _id, _version, _index // Filter for scripts with high numeric character ratio | where Esql.script_block_ratio > 0.30 -// Exclude noisy patterns such as 64-character hash lists -| where not powershell.file.script_block_text rlike """.*\"[a-fA-F0-9]{64}\"\,.*""" +// Exclude Windows Defender Noisy Patterns +| where not ( + file.directory == "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads" or + file.directory like "C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection*" + ) + // ESQL requires this condition, otherwise it only returns matches where file.directory exists. + or file.directory is null +| where not powershell.file.script_block_text like "*[System.IO.File]::Open('C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection*" +| where not powershell.file.script_block_text : "26a24ae4-039d-4ca4-87b4-2f64180311f0" ''' diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml index dcf423bac..efd9de2cb 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/14" [rule] author = ["Elastic"] @@ -50,7 +50,7 @@ PowerShell's Invoke-Expression (IEX) command is a powerful tool for executing st - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement additional monitoring for unusual PowerShell activity and environment variable manipulations to enhance detection of similar threats in the future. """ -risk_score = 21 +risk_score = 47 rule_id = "b0c98cfb-0745-4513-b6f9-08dddb033490" setup = """## Setup @@ -70,7 +70,7 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml index 5d5aaeae9..209a778ea 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/14" [rule] author = ["Elastic"] @@ -110,6 +110,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.file.script_block_text, powershell.file.script_block_id, file.path, + file.directory, powershell.sequence, powershell.total, _id, @@ -120,6 +121,13 @@ from logs-windows.powershell_operational* metadata _id, _version, _index // Filter for scripts that match the pattern at least once | where Esql.script_block_pattern_count >= 1 + +| where not ( + file.directory like "C:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\Maester\\\\1.1.0*" or + file.directory like "C:\\\\Users\\\\*\\\\Documents\\\\WindowsPowerShell\\\\Modules\\\\Maester\\\\1.1.0*" + ) + // ESQL requires this condition, otherwise it only returns matches where file.directory exists. + or file.directory is null ''' diff --git a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml index eb83ae996..9188ea53a 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/14" [rule] author = ["Elastic"] @@ -93,7 +93,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index // The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1 | eval Esql.script_block_tmp = replace( powershell.file.script_block_text, - """(?i)(rahc|metsys|stekcos|tcejboimw|ecalper|ecnerferpe|noitcennoc|nioj|eman\.|:vne|gnirts|tcejbo-wen|_23niw|noisserpxe|ekovni|daolnwod)""", + """(?i)(rahc|metsys|stekcos|tcejboimw|ecalper|ecnerferpe|noitcennoc|nioj|eman\.|:vne$|gnirts|tcejbo-wen|_23niw|noisserpxe|ekovni|daolnwod)""", "🔥" ) diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml index 61edfb108..94cdcc68e 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/03" integration = ["windows"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/14" [rule] author = ["Elastic"] @@ -108,7 +108,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.file.script_block_text, powershell.file.script_block_id, file.path, - file.name, + file.directory, powershell.sequence, powershell.total, _id, @@ -123,8 +123,12 @@ from logs-windows.powershell_operational* metadata _id, _version, _index // Exclude Noisy Patterns // Icinga Framework -| where (file.name not like "framework_cache.psm1" or file.name is null) +| where not file.directory == "C:\\Program Files\\WindowsPowerShell\\Modules\\icinga-powershell-framework\\cache" + // ESQL requires this condition, otherwise it only returns matches where file.directory exists. + or file.directory IS NULL +| where not (powershell.file.script_block_text LIKE "*GitBranchStatus*" AND + powershell.file.script_block_text LIKE "*$s.BranchBehindStatusSymbol.Text*") | where not // https://wtfbins.wtf/17 ( diff --git a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml index 930c6d16c..6fa1be5d3 100644 --- a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml +++ b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/14" [rule] author = ["Elastic"] @@ -85,7 +85,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index user.id // Filter for scripts with high special character ratio -| where Esql.script_block_ratio > 0.25 +| where Esql.script_block_ratio > 0.30 '''