[Rule Tuning] PowerShell Rules Tuning (#3169)

rules/windows/collection_mailbox_export_winlog.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/05"
+updated_date = "2023/10/11"
 
 [rule]
 author = ["Elastic"]
@@ -70,8 +70,11 @@ type = "query"
 query = '''
 event.category:process and host.os.type:windows and
   powershell.file.script_block_text : "New-MailboxExportRequest" and
-  not (file.path : (*Microsoft* and *Exchange* and *RemotePowerShell* or *AppData* and *Local*) and
-  file.name:(*.psd1 or *.psm1))
+  not (
+    file.path : (
+      ?\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*
+    ) and file.name:(*.psd1 or *.psm1)
+  )
 '''
 
 

rules/windows/collection_posh_clipboard_capture.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/05"
+updated_date = "2023/10/11"
 
 [rule]
 author = ["Elastic"]
@@ -94,14 +94,20 @@ event.category:process and host.os.type:windows and
    powershell.file.script_block_text : (
     "]::GetText" or
     ".Paste()"
-  )) or powershell.file.script_block_text : "Get-Clipboard"
-  and not powershell.file.script_block_text : (
+  )) or powershell.file.script_block_text : "Get-Clipboard" and
+  not powershell.file.script_block_text : (
     "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
-  )
-  and not user.id : "S-1-5-18"
-  and not file.path : (*WindowsPowerShell*Modules*.psd1 or *WindowsPowerShell*Modules*.psm1)
-  and not (
-    file.path : *WindowsPowerShell*Modules*.ps1 and
+  ) and
+  not user.id : "S-1-5-18" and
+  not file.path : (
+        ?\:\\\\program?files\\\\powershell\\\\?\\\\Modules\\\\*.psd1 or
+        ?\:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\*.psd1 or
+        ?\:\\\\WINDOWS\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\*.psd1 or
+        ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.psd1 or
+        ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.psm1
+      ) and 
+  not (
+    file.path : ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\*Modules*.ps1 and
     file.name : ("Convert-ExcelRangeToImage.ps1" or "Read-Clipboard.ps1")
   )
 '''

rules/windows/collection_posh_mailbox.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/28"
+updated_date = "2023/10/11"
 
 [rule]
 author = ["Elastic"]
@@ -97,7 +97,7 @@ event.category:process and host.os.type:windows and
       "Microsoft.Exchange.WebServices.Data.Folder" or
       "Microsoft.Exchange.WebServices.Data.FileAttachment"
    )
-   )
+  ) and not user.id : "S-1-5-18"
 '''
 
 

rules/windows/credential_access_posh_request_ticket.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/05"
+updated_date = "2023/10/11"
 
 [rule]
 author = ["Elastic"]
@@ -84,8 +84,8 @@ query = '''
 event.category:process and host.os.type:windows and
   powershell.file.script_block_text : (
     KerberosRequestorSecurityToken
-  ) and not user.id : "S-1-5-18"
-  and not powershell.file.script_block_text : (
+  ) and not user.id : ("S-1-5-18" or "S-1-5-20") and
+  not powershell.file.script_block_text : (
     "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
   )
 '''

rules/windows/defense_evasion_posh_compressed.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/05"
+updated_date = "2023/10/11"
 
 [transform]
 [[transform.osquery]]
@@ -138,10 +138,9 @@ event.category:process and host.os.type:windows and
       "IO.Compression.GzipStream"
     ) and
     FromBase64String
-  ) and not 
-  (user.id:("S-1-5-18" or "S-1-5-19") and
-   file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads")
-  and not user.id : "S-1-5-18"
+  ) and
+  not file.path: ?\:\\\\ProgramData\\\\Microsoft\\\\Windows?Defender?Advanced?Threat?Protection\\\\Downloads\\\\* and
+  not user.id : "S-1-5-18"
 '''
 
 

rules/windows/execution_posh_hacktool_functions.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/01/17"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2023/07/17"
+updated_date = "2023/10/11"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -224,10 +224,11 @@ event.category:process and host.os.type:windows and
     "Invoke-FileTransferOverWMI" or "Invoke-WMImplant" or
     "Invoke-WMIObfuscatedPSCommand" or "Invoke-WMIDuplicateClass" or
     "Invoke-WMIUpload" or "Invoke-WMIRemoteExtract" or "Invoke-winPEAS"
-  )
-  and not powershell.file.script_block_text : (
+  ) and
+  not powershell.file.script_block_text : (
     "sentinelbreakpoints" and "Set-PSBreakpoint"
-  )
+  ) and
+  not user.id : ("S-1-5-18" or "S-1-5-19")
 '''
 
 

rules/windows/execution_posh_psreflect.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/10/11"
 
 [transform]
 [[transform.osquery]]
@@ -152,7 +152,9 @@ event.category:process and host.os.type:windows and
     "Reflection.Emit.OpCodes" or
     "Reflection.Emit.CustomAttributeBuilder" or
     "Runtime.InteropServices.DllImportAttribute"
-  ) and not user.id : "S-1-5-18"
+  ) and
+  not user.id : "S-1-5-18" and
+  not file.path : ?\:\\\\ProgramData\\\\MaaS360\\\\Cloud?Extender\\\\AR\\\\Scripts\\\\ASModuleCommon.ps1*
 '''
 
 

rules/windows/privilege_escalation_posh_token_impersonation.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/05"
+updated_date = "2023/10/11"
 
 [rule]
 author = ["Elastic"]
@@ -73,10 +73,12 @@ event.category:process and host.os.type:windows and
       "CreatePRocessAsUserW" or
       "CreateProcessAsUserA")
     ) 
-  ) and not 
-  (user.id:("S-1-5-18" or "S-1-5-19") and
-   file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads")
-  and not powershell.file.script_block_text : (
+  ) and
+  not (
+    user.id:("S-1-5-18" or "S-1-5-19" or "S-1-5-20") and
+    file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads"
+  ) and
+  not powershell.file.script_block_text : (
     "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
   )
 '''

rules_building_block/collection_posh_compression.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/18"
+updated_date = "2023/10/11"
 
 
 [rule]
@@ -63,7 +63,13 @@ event.category:process and host.os.type:windows and
     "ZipArchiveMode"
   ) or
   powershell.file.script_block_text : "Compress-Archive"
-) and not file.path : *ProgramData*Microsoft*Windows*Defender*Advanced*Threat*Protection*DataCollection*
+) and 
+  not file.path : (
+        ?\:\\\\ProgramData\\\\Microsoft\\\\Windows?Defender?Advanced?Threat?Protection\\\\Downloads\\\\* or
+        ?\:\\\\ProgramData\\\\Microsoft\\\\Windows?Defender?Advanced?Threat?Protection\\\\DataCollection\\\\* or
+        ?\:\\\\Program?Files\\\\Microsoft?Dependency?Agent\\\\plugins\\\\* or
+        ?\:\\\\Program?Files\\\\Azure\\\\StorageSyncAgent\\\\AFSDiag.ps1
+      )
 '''
 
 

rules_building_block/defense_evasion_powershell_clear_logs_script.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/06"
+updated_date = "2023/10/11"
 
 [rule]
 author = ["Elastic"]
@@ -55,6 +55,9 @@ event.category:process and host.os.type:windows and
     "Remove-EventLog" or
     ("Eventing.Reader.EventLogSession" and ".ClearLog") or
     ("Diagnostics.EventLog" and ".Clear")
+  ) and
+  not file.path : (
+    ?\:\\\\*\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Management\\\\*.psd1
   )
 '''
 

rules_building_block/discovery_posh_generic.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/16"
+updated_date = "2023/10/11"
 
 
 [rule]
@@ -132,16 +132,25 @@ event.category:process and host.os.type:windows and
         "CSFalcon" or "TmPfw" or "kvoop"
       )
     )
-  ) and not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20")
-  and not file.path : (
-            *WindowsPowerShell*Modules*.psd1 or
-            *WindowsPowerShell*Modules*.psm1 or 
-            "C:\\Program Files\\Microsoft Azure AD Sync\\Extensions\\AADConnector.psm1"
-          )
-  and not (file.path : (
-            *Windows*TEMP*SDIAG* or
-            *WINDOWS*TEMP*SDIAG* or
-            *windows*TEMP*SDIAG*) and file.name : "CL_Utility.ps1")
+  ) and
+  not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") and
+  not file.path : (
+        ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.psd1 or
+        ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.psm1 or
+        ?\:\\\\Program?Files\\\\Microsoft?Azure?AD?Sync\\\\Extensions\\\\AADConnector.psm1* or
+        *ServiceNow?MID?Server*agent\\\\scripts\\\\PowerShell\\\\*.psm1 or
+        ?\:\\\\*\\\\IMECache\\\\HealthScripts\\\\*\\\\detect.ps1
+      ) and
+  not (
+    file.path : (
+      ?\:\\\\*\\\\TEMP\\\\SDIAG* or
+      ?\:\\\\TEMP\\\\SDIAG* or
+      ?\:\\\\Temp\\\\SDIAG* or
+      ?\:\\\\temp\\\\SDIAG* or
+      ?\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\SDIAG* or
+      ?\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\SDIAG*
+    ) and file.name : "CL_Utility.ps1"
+  )
 '''
 
 

rules_building_block/lateral_movement_posh_winrm_activity.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/12"
+updated_date = "2023/10/11"
 
 [rule]
 author = ["Elastic"]
@@ -53,6 +53,14 @@ query = '''
 event.category:process and host.os.type:windows and
   powershell.file.script_block_text : (
     ("Invoke-WmiMethod" or "Invoke-Command" or "Enter-PSSession") and "ComputerName"
+  ) and
+  not user.id : "S-1-5-18" and
+  not file.directory : (
+    "C:\\Program Files\\LogicMonitor\\Agent\\tmp" or
+    ?\:\\\\Program?Files\\\\Microsoft\\\\Exchange?Server\\\\*\\\\bin or
+    ?\:\\\\Logicmonitor\\\\tmp* or
+    ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\* or
+    ?\:\\\\ExchangeServer\\\\bin*
   )
 '''