diff --git a/rules/windows/defense_evasion_posh_obfuscation.toml b/rules/windows/defense_evasion_posh_obfuscation.toml index 656ae70ad..3f18767f3 100644 --- a/rules/windows/defense_evasion_posh_obfuscation.toml +++ b/rules/windows/defense_evasion_posh_obfuscation.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/03" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -14,13 +14,13 @@ from = "now-9m" index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" -name = "Potential PowerShell Obfuscated Script" +name = "Deprecated - Potential PowerShell Obfuscated Script" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Potential PowerShell Obfuscated Script +### Investigating Deprecated - Potential PowerShell Obfuscated Script PowerShell is a powerful scripting language used for task automation and configuration management in Windows environments. Adversaries exploit its flexibility to obfuscate scripts, evading security measures like AMSI. The detection rule identifies obfuscation patterns, such as string manipulation and encoding techniques, to flag potentially malicious scripts, aiding in defense evasion detection. @@ -51,27 +51,14 @@ PowerShell is a powerful scripting language used for task automation and configu - Monitor the system and network for any signs of re-infection or similar obfuscation patterns to ensure the threat has been fully mitigated. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" references = ["https://github.com/danielbohannon/Invoke-Obfuscation"] -risk_score = 47 +risk_score = 21 rule_id = "8025db49-c57c-4fc0-bd86-7ccd6d10a35a" setup = """## Setup -The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with Advanced Audit Configuration: - -``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > -Turn on PowerShell Script Block Logging (Enable) -``` - -Steps to implement the logging policy via registry: - -``` -reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 -``` +PowerShell Script Block Logging must be enabled to generate the events used by this rule (e.g., 4104). +Setup instructions: https://ela.st/powershell-logging-setup """ -severity = "medium" +severity = "low" tags = [ "Domain: Endpoint", "OS: Windows", diff --git a/rules_building_block/discovery_posh_generic.toml b/rules_building_block/discovery_posh_generic.toml index 93705dbc8..d25af55f2 100644 --- a/rules_building_block/discovery_posh_generic.toml +++ b/rules_building_block/discovery_posh_generic.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -16,26 +16,13 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] interval = "60m" language = "kuery" license = "Elastic License v2" -name = "PowerShell Script with Discovery Capabilities" +name = "Deprecated - PowerShell Script with Discovery Capabilities" risk_score = 21 rule_id = "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be" setup = """## Setup -The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with Advanced Audit Configuration: - -``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > -Turn on PowerShell Script Block Logging (Enable) -``` - -Steps to implement the logging policy via registry: - -``` -reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 -``` +PowerShell Script Block Logging must be enabled to generate the events used by this rule (e.g., 4104). +Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" tags = [ diff --git a/rules_building_block/lateral_movement_posh_winrm_activity.toml b/rules_building_block/lateral_movement_posh_winrm_activity.toml index be606f963..444d49ece 100644 --- a/rules_building_block/lateral_movement_posh_winrm_activity.toml +++ b/rules_building_block/lateral_movement_posh_winrm_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] interval = "60m" language = "kuery" license = "Elastic License v2" -name = "PowerShell Script with Remote Execution Capabilities via WinRM" +name = "Deprecated - PowerShell Script with Remote Execution Capabilities via WinRM" references = [ "https://attack.mitre.org/techniques/T1021/006/", "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", @@ -26,21 +26,8 @@ risk_score = 21 rule_id = "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83" setup = """## Setup -The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with Advanced Audit Configuration: - -``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > -Turn on PowerShell Script Block Logging (Enable) -``` - -Steps to implement the logging policy via registry: - -``` -reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 -``` +PowerShell Script Block Logging must be enabled to generate the events used by this rule (e.g., 4104). +Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" tags = [ diff --git a/rules_building_block/persistence_transport_agent_exchange.toml b/rules_building_block/persistence_transport_agent_exchange.toml index 977415453..cbc31115a 100644 --- a/rules_building_block/persistence_transport_agent_exchange.toml +++ b/rules_building_block/persistence_transport_agent_exchange.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/14" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/02/09" [rule] author = ["Elastic"] @@ -17,23 +17,13 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] interval = "60m" language = "kuery" license = "Elastic License v2" -name = "Microsoft Exchange Transport Agent Install Script" +name = "Deprecated - Microsoft Exchange Transport Agent Install Script" risk_score = 21 rule_id = "846fe13f-6772-4c83-bd39-9d16d4ad1a81" setup = """## Setup -The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with Advanced Audit Configuration: -``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > -Turn on PowerShell Script Block Logging (Enable) -``` -Steps to implement the logging policy via registry: -``` -reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 -``` +PowerShell Script Block Logging must be enabled to generate the events used by this rule (e.g., 4104). +Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" tags = [