From 0c3b251208ed9b955e2a8eee38b7d48aec002367 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Tue, 22 Aug 2023 07:45:00 -0300
Subject: [PATCH] [Rule Tuning] PowerShell Keylogging Script (#3023)

---
 rules/windows/collection_posh_keylogger.toml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml
index 8752a6e53..4bac504b5 100644
--- a/rules/windows/collection_posh_keylogger.toml
+++ b/rules/windows/collection_posh_keylogger.toml
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/05"
+updated_date = "2023/08/21"
 
 [rule]
 author = ["Elastic"]
@@ -90,11 +90,11 @@ event.category:process and host.os.type:windows and
    powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or "Get-Keystrokes") or
    powershell.file.script_block_text : (
         (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and
-        (GetForegroundWindow or GetWindowTextA or GetWindowTextW or "WM_KEYBOARD_LL")
+        (GetForegroundWindow or GetWindowTextA or GetWindowTextW or "WM_KEYBOARD_LL" or "WH_MOUSE_LL")
    )
    ) and not user.id : "S-1-5-18"
   and not powershell.file.script_block_text : (
-    "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
+    "sentinelbreakpoints" and "Set-PSBreakpoint"
   )
 '''