From 5e1ac4f4505fdb13b427df26a2a32407f5af5ca6 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 1 Dec 2025 15:06:48 +0000
Subject: [PATCH] [Tuning] Powershell Atomics test gaps for T1059.001 (#5380)

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md
---
 rules/windows/execution_posh_hacktool_functions.toml  |  5 +++--
 .../execution_windows_powershell_susp_args.toml       | 11 +++++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml
index 0a0af1433..9078b34e8 100644
--- a/rules/windows/execution_posh_hacktool_functions.toml
+++ b/rules/windows/execution_posh_hacktool_functions.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/01/17"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/09/03"
+updated_date = "2025/12/01"
 
 [transform]
 [[transform.osquery]]
@@ -321,7 +321,8 @@ event.category:process and host.os.type:windows and
     "Invoke-FileTransferOverWMI" or "Invoke-WMImplant" or
     "Invoke-WMIObfuscatedPSCommand" or "Invoke-WMIDuplicateClass" or
     "Invoke-WMIUpload" or "Invoke-WMIRemoteExtract" or "Invoke-winPEAS" or
-    "Invoke-AzureHound" or "Invoke-SharpHound"
+    "Invoke-AzureHound" or "Invoke-SharpHound" or "Invoke-DownloadCradle" or
+    "Invoke-AppPathBypass"
   ) and
   not powershell.file.script_block_text : (
     "sentinelbreakpoints" and "Set-PSBreakpoint"
diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml
index aadb6c929..bf4474a4e 100644
--- a/rules/windows/execution_windows_powershell_susp_args.toml
+++ b/rules/windows/execution_windows_powershell_susp_args.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/09/06"
 integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/09/18"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -150,7 +150,9 @@ process where host.os.type == "windows" and event.type == "start" and
           "*$env:computername*http*",
           "*;InVoKe-ExpRESsIoN $COntent.CONTENt;*",
           "*WebClient*example.com*",
-          "*=iwr $*;iex $*"
+          "*=iwr $*;iex $*",
+          "*ServerXmlHttp*IEX*",
+          "*XmlDocument*IEX*"
     ) or
 
     (process.args : "-c" and process.args : "&{'*") or
@@ -161,6 +163,11 @@ process where host.os.type == "windows" and event.type == "start" and
 
     process.args : "$*$*;set-alias" or
 
+    process.args == "-e" or
+
+    // ATHPowerShellCommandLineParameter
+    process.args : ("-EncodedCommandParamVariation", "-UseEncodedArguments", "-CommandParamVariation") or
+
     (
       process.parent.name : ("explorer.exe", "cmd.exe") and
       process.command_line : ("*-encodedCommand*", "*Invoke-webrequest*", "*WebClient*", "*Reflection.Assembly*"))