From 6ac71050dc047b58227aaf8fc98e69ccd40569a2 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 8 Sep 2025 07:59:53 -0700 Subject: [PATCH] [Rule Tuning] Remote File Download via PowerShell (#5062) * [Rule Tuning] Remote File Download via PowerShell * Update command_and_control_remote_file_copy_powershell.toml * Update rules/windows/command_and_control_remote_file_copy_powershell.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update command_and_control_remote_file_copy_powershell.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- ...d_control_remote_file_copy_powershell.toml | 35 ++++++++++++------- 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 3e41e8ec3..56c445ecd 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/09/04" [transform] [[transform.osquery]] @@ -133,18 +133,29 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan=30s - -[network where host.os.type == "windows" and - process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and network.protocol == "dns" and - not dns.question.name : ( - "localhost", "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com", - "*.windowsupdate.com", "metadata.google.internal", "dist.nuget.org", - "artifacts.elastic.co", "*.digicert.com", "packages.chocolatey.org", - "outlook.office365.com" - ) and not user.id : "S-1-5-18"] +[network where host.os.type == "windows" and + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and + network.protocol == "dns" and + not dns.question.name : ( + "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com", "*.windowsupdate.com", + "metadata.google.internal", "dist.nuget.org", "artifacts.elastic.co", "*.digicert.com", + "*.chocolatey.org", "outlook.office365.com", "cdn.oneget.org", "ci.dot.net", + "packages.icinga.com", "login.microsoftonline.com", "*.gov", "*.azure.com", "*.python.org", + "dl.google.com", "sensor.cloud.tenable.com", "*.azurefd.net", "*.office.net", "*.anac*", + "aka.ms", "dot.net", "*.visualstudio.com", "*.local") and + not user.id == "S-1-5-18" and + /* Filter out NetBIOS/LLMNR-style names (e.g. host, localhost, etc.) */ + dns.question.name regex """.*\.[a-zA-Z]{2,5}"""] [file where host.os.type == "windows" and event.type == "creation" and - process.name : "powershell.exe" and file.extension : ("exe", "dll", "ps1", "bat") and - not file.name : "__PSScriptPolicy*.ps1"] + process.name : "powershell.exe" and + (file.extension : ("exe", "dll", "ps1", "bat") or file.Ext.header_bytes : "4d5a*") and + not file.name : "__PSScriptPolicy*.ps1" and + not file.path : ( + "?:\\Users\\*\\AppData\\Local\\Temp\\????????.dll", + "?:\\Users\\*\\AppData\\Local\\Temp\\*\\????????.dll", + "?:\\Windows\\TEMP\\ansible-tmp-*\\AnsiballZ*.ps1" + ) and + not user.id == "S-1-5-18"] '''