[Rule Tuning] PowerShell Rules (#5056)

* [Rule Tuning] PowerShell Rules * Update defense_evasion_posh_defender_tampering.toml * [Rule Tuning] Connection to Commonly Abused Web Services * Revert "[Rule Tuning] Connection to Commonly Abused Web Services" This reverts commit 74dcea07e16a2b50ee8a372aef63a7c699e7c66a.
2025-09-11 16:54:11 -07:00
parent b5d77951b5
commit aa97487b20
10 changed files with 50 additions and 52 deletions
@@ -2,7 +2,7 @@
 creation_date = "2023/01/11"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/03"

 [rule]
 author = ["Elastic"]
@@ -80,26 +80,20 @@ event.category:process and host.os.type:windows and


 [[rule.filters]]
-
 [rule.filters.meta]
 negate = true
 [rule.filters.query.wildcard."file.path"]
 case_insensitive = true
 value = "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*"
-[[rule.filters]]

+[[rule.filters]]
 [rule.filters.meta]
 negate = true
 [rule.filters.query.wildcard."file.path"]
 case_insensitive = true
-value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"
-[[rule.filters]]
+value = "*\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"
+

-[rule.filters.meta]
-negate = true
-[rule.filters.query.wildcard."file.path"]
-case_insensitive = true
-value = "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -2,7 +2,7 @@
 creation_date = "2021/10/19"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/03"

 [rule]
 author = ["Elastic"]
@@ -52,7 +52,7 @@ Attackers can use PowerShell to interact with the Windows API with the intent of
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 """
 references = ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"]
-risk_score = 47
+risk_score = 73
 rule_id = "2f2f4939-0b34-40c2-a0a3-844eb7889f43"
 setup = """## Setup

@@ -72,7 +72,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "medium"
+severity = "high"
 tags = [
    "Domain: Endpoint",
    "OS: Windows",
@@ -2,7 +2,7 @@
 creation_date = "2023/01/12"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/03"

 [rule]
 author = ["Elastic"]
@@ -105,7 +105,7 @@ event.category:process and host.os.type:windows and
  ) and
  not user.id : "S-1-5-18" and
  not (
-    file.path : C\:\\Program?Files\\WindowsPowerShell\\*Modules*.ps1 and
+    file.path : *WindowsPowerShell\\Modules\\*.ps1 and
    file.name : ("Convert-ExcelRangeToImage.ps1" or "Read-Clipboard.ps1")
  )
 '''
@@ -2,7 +2,7 @@
 creation_date = "2023/01/11"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/03"

 [rule]
 author = ["Elastic"]
@@ -93,16 +93,23 @@ type = "query"
 query = '''
 event.category:process and host.os.type:windows and
  (
-   powershell.file.script_block_text : (
-      "Microsoft.Office.Interop.Outlook" or
-      "Interop.Outlook.olDefaultFolders" or
-      "::olFolderInBox"
-   ) or
-   powershell.file.script_block_text : (
-      "Microsoft.Exchange.WebServices.Data.Folder" or
-      "Microsoft.Exchange.WebServices.Data.FileAttachment"
-   )
-  ) and not user.id : "S-1-5-18"
+    (
+      powershell.file.script_block_text : (
+        "Microsoft.Office.Interop.Outlook" or
+        "Interop.Outlook.olDefaultFolders" or
+        "olFolderInBox" or
+        "Outlook.Application"
+      ) and powershell.file.script_block_text : ("MAPI" or "GetDefaultFolder" or "GetNamespace" or "Session" or "GetSharedDefaultFolder")
+    ) or
+    (
+      powershell.file.script_block_text : (
+        "Microsoft.Exchange.WebServices.Data.Folder" or
+        "Microsoft.Exchange.WebServices.Data.FileAttachment" or
+        "Microsoft.Exchange.WebServices.Data.ExchangeService"
+      ) and
+      powershell.file.script_block_text : ("FindItems" or "Bind" or "WellKnownFolderName" or "FolderId" or "ItemView" or "PropertySet" or "SearchFilter" or "Attachments")
+    )
+  )
 '''


@@ -2,7 +2,7 @@
 creation_date = "2022/01/24"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/03"

 [rule]
 author = ["Elastic"]
@@ -53,7 +53,7 @@ references = [
    "https://cobalt.io/blog/kerberoast-attack-techniques",
    "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1",
 ]
-risk_score = 47
+risk_score = 73
 rule_id = "eb610e70-f9e6-4949-82b9-f1c5bcd37c39"
 setup = """## Setup

@@ -73,7 +73,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "medium"
+severity = "high"
 tags = [
    "Domain: Endpoint",
    "OS: Windows",
@@ -1,13 +1,11 @@
 [metadata]
-bypass_bbr_timing = true
 creation_date = "2024/09/11"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/03"

 [rule]
 author = ["Elastic"]
-building_block_type = "default"
 description = """
 Identifies PowerShell scripts containing cmdlets and parameters that attackers can abuse to disable Windows Defender
 features. Attackers can tamper with antivirus to reduce the risk of detection when executing their payloads.
@@ -44,7 +42,6 @@ tags = [
    "Use Case: Threat Detection",
    "Tactic: Defense Evasion",
    "Data Source: PowerShell Logs",
-    "Rule Type: BBR",
 ]
 timestamp_override = "event.ingested"
 type = "query"
@@ -67,7 +64,8 @@ not powershell.file.script_block_text : (
  ("cmdletization" and "cdxml-Help.xml") or
  ("function Set-MpPreference" and "Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.SubmitSamplesConsentType")
 ) and
-not file.directory : "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM"
+not file.directory : "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM" and
+not user.id : "S-1-5-18"
 '''


@@ -2,7 +2,7 @@
 creation_date = "2022/08/17"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/03"

 [rule]
 author = ["Elastic"]
@@ -53,7 +53,7 @@ references = [
    "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/",
    "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md",
 ]
-risk_score = 47
+risk_score = 73
 rule_id = "4c59cff1-b78a-41b8-a9f1-4231984d1fb6"
 setup = """## Setup

@@ -74,7 +74,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "medium"
+severity = "high"
 tags = [
    "Domain: Endpoint",
    "OS: Windows",
@@ -2,7 +2,7 @@
 creation_date = "2024/05/08"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/03"

 [rule]
 author = ["Elastic"]
@@ -53,7 +53,7 @@ PowerShell is a powerful scripting language and automation framework used in Win
 references = [
    "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md",
 ]
-risk_score = 73
+risk_score = 47
 rule_id = "2553a9af-52a4-4a05-bb03-85b2a479a0a0"
 setup = """## Setup

@@ -73,7 +73,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "high"
+severity = "medium"
 tags = [
    "Domain: Endpoint",
    "OS: Windows",
@@ -111,7 +111,8 @@ host.os.type:windows and event.category:process and
      "jaredcatkinson" or "ChrisTruncer" or
      "monoxgas" or "TheRealWover" or
      "splinter_code"
-  )
+  ) and
+  not powershell.file.script_block_text : ("Get-UEFIDatabaseSigner" or "Posh-SSH")
 '''


@@ -2,7 +2,7 @@
 creation_date = "2023/01/17"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/05/03"
+updated_date = "2025/09/03"

 [transform]
 [[transform.osquery]]
@@ -272,7 +272,7 @@ event.category:process and host.os.type:windows and
    "Invoke-SMBExec" or "Invoke-PSRemoting" or
    "Invoke-ExecuteMSBuild" or "Invoke-DCOM" or
    "Invoke-InveighRelay" or "Invoke-PsExec" or
-    "Invoke-SSHCommand" or "Find-ActiveUsersWMI" or
+    "Find-ActiveUsersWMI" or
    "Get-SystemDrivesWMI" or "Get-ActiveNICSWMI" or
    "Remove-Persistence" or "DNS_TXT_Pwnage" or
    "Execute-OnTime" or "HTTP-Backdoor" or
@@ -2,7 +2,7 @@
 creation_date = "2023/07/12"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/03"

 [rule]
 author = ["Elastic"]
@@ -80,14 +80,12 @@ event.category: "process" and host.os.type:windows and
      )
    )
  )
-) and not powershell.file.script_block_text : (
-    "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
-  )
-  and not 
-  (
-    powershell.file.script_block_text : ("43c15630-959c-49e4-a977-758c5cc93408" and "CmdletsToExport" and "ActiveDirectory.Types.ps1xml")
-  )
-  and not user.id : "S-1-5-18"
+) and
+
+not powershell.file.script_block_text : ("sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators") and
+not powershell.file.script_block_text : ("43c15630-959c-49e4-a977-758c5cc93408" and "CmdletsToExport" and "ActiveDirectory.Types.ps1xml") and
+not file.directory: "C:\Program Files\LogicMonitor\Agent\tmp" and
+not user.id : "S-1-5-18"
 '''