[Rule Tuning] PowerShell Rules - Misc Tuning/Severity Bumps (#5486)

* [Rule Tuning] PowerShell Misc Tuning/Severity Bump * bump sev
2025-12-18 08:30:22 -03:00
parent 5ec8e3e500
commit a9bdfaaea3
7 changed files with 23 additions and 20 deletions
@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/12/09"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -117,8 +117,8 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
    agent.id,
    user.id

-// Filter for scripts that match the pattern at least 10 times
-| where Esql.script_block_pattern_count >= 10
+// Filter for scripts that match the pattern at least 20 times
+| where Esql.script_block_pattern_count >= 20

 | where file.name not like "TSS_*.psm1"
  // ESQL requires this condition, otherwise it only returns matches where file.name exists.
@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/12/09"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -51,7 +51,7 @@ PowerShell, a powerful scripting language in Windows environments, can be exploi
 - Implement enhanced monitoring on the affected host and similar systems to detect any recurrence of obfuscation techniques or related suspicious activities.
 - Update endpoint protection and intrusion detection systems with indicators of compromise (IOCs) derived from the analysis to improve detection capabilities for similar threats in the future.
 """
-risk_score = 21
+risk_score = 73
 rule_id = "d43f2b43-02a1-4219-8ce9-10929a32a618"
 setup = """## Setup

@@ -71,7 +71,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "low"
+severity = "high"
 tags = [
    "Domain: Endpoint",
    "OS: Windows",
@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/12/09"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -51,7 +51,7 @@ PowerShell, a powerful scripting language, is often targeted by adversaries for
 - Update endpoint protection and ensure that AMSI and other security features are fully enabled and configured to detect similar threats.
 - Escalate the incident to the security operations center (SOC) for further analysis and to determine if additional systems are affected.
 """
-risk_score = 21
+risk_score = 73
 rule_id = "85e2d45e-a3df-4acf-83d3-21805f564ff4"
 setup = """## Setup

@@ -71,7 +71,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "low"
+severity = "high"
 tags = [
    "Domain: Endpoint",
    "OS: Windows",
@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/12/09"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -50,7 +50,7 @@ PowerShell is a powerful scripting language used for task automation and configu
 - Escalate the incident to the security operations team for further analysis and to determine if additional systems have been compromised.
 - Update endpoint protection and monitoring tools to enhance detection capabilities for similar obfuscation techniques, leveraging insights from the MITRE ATT&CK framework.
 """
-risk_score = 21
+risk_score = 73
 rule_id = "083383af-b9a4-42b7-a463-29c40efe7797"
 setup = """## Setup

@@ -70,7 +70,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "low"
+severity = "high"
 tags = [
    "Domain: Endpoint",
    "OS: Windows",
@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/12/09"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -119,12 +119,15 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
    user.id

 // Filter for scripts with high numeric character ratio
-| where Esql.script_block_ratio > 0.30
+| where Esql.script_block_ratio > 0.35

 // Exclude Windows Defender Noisy Patterns
 | where not (
    file.directory == "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads" or
-    file.directory like "C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection*"
+    file.directory like (
+        "C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection*",
+        "C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent*"
+    )
  )
  // ESQL requires this condition, otherwise it only returns matches where file.directory exists.
  or file.directory is null
@@ -2,7 +2,7 @@
 creation_date = "2025/04/03"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/12/09"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -117,8 +117,8 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
    agent.id,
    user.id

-// Filter for scripts that match the pattern at least four times
-| where Esql.script_block_pattern_count >= 4
+// Filter for scripts that match the pattern at least five times
+| where Esql.script_block_pattern_count >= 5

 // Exclude Noisy Patterns

@@ -3,7 +3,7 @@ bypass_bbr_timing = true
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/12/09"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -86,7 +86,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
    user.id

 // Filter for scripts with high special character ratio
-| where Esql.script_block_ratio > 0.30
+| where Esql.script_block_ratio > 0.35

 // Exclude Noisy Patterns
 | where not file.directory like "C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"