[Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules (#1620)

* Replaces event.code with event.category

* bump updated_date

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 851c566730)

rules/windows/collection_posh_audio_capture.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/19"
 maturity = "production"
-updated_date = "2021/10/19"
+updated_date = "2021/11/17"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.code:"4104" and 
+event.category:process and 
   powershell.file.script_block_text : (
     Get-MicrophoneAudio or (waveInGetNumDevs and mciSendStringA)
   )

rules/windows/credential_access_posh_minidump.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/05"
 maturity = "production"
-updated_date = "2021/10/05"
+updated_date = "2021/11/17"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.code:"4104" and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM)
+event.category:process and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM)
 '''
 
 

rules/windows/defense_evasion_posh_process_injection.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/14"
 maturity = "production"
-updated_date = "2021/10/14"
+updated_date = "2021/11/17"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.code:"4104" and 
+event.category:process and 
   powershell.file.script_block_text : (
    (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or
       LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and

rules/windows/discovery_posh_suspicious_api_functions.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/13"
 maturity = "production"
-updated_date = "2021/10/14"
+updated_date = "2021/11/17"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.code:"4104" and 
+event.category:process and 
   powershell.file.script_block_text : (
     NetShareEnum or
     NetWkstaUserEnum or

rules/windows/execution_posh_portable_executable.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/15"
 maturity = "production"
-updated_date = "2021/10/15"
+updated_date = "2021/11/17"
 
 [rule]
 author = ["Elastic"]
@@ -23,7 +23,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.code:"4104" and 
+event.category:process and 
   powershell.file.script_block_text : (
     TVqQAAMAAAAEAAAA
   )