diff --git a/rules/windows/collection_mailbox_export_winlog.toml b/rules/windows/collection_mailbox_export_winlog.toml index d9df945ca..d91851bdb 100644 --- a/rules/windows/collection_mailbox_export_winlog.toml +++ b/rules/windows/collection_mailbox_export_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/03" [rule] author = ["Elastic"] @@ -80,26 +80,20 @@ event.category:process and host.os.type:windows and [[rule.filters]] - [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*" -[[rule.filters]] +[[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true -value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" -[[rule.filters]] +value = "*\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" + -[rule.filters.meta] -negate = true -[rule.filters.query.wildcard."file.path"] -case_insensitive = true -value = "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 55a17d138..87087a3e6 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/03" [rule] author = ["Elastic"] @@ -52,7 +52,7 @@ Attackers can use PowerShell to interact with the Windows API with the intent of - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"] -risk_score = 47 +risk_score = 73 rule_id = "2f2f4939-0b34-40c2-a0a3-844eb7889f43" setup = """## Setup @@ -72,7 +72,7 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", diff --git a/rules/windows/collection_posh_clipboard_capture.toml b/rules/windows/collection_posh_clipboard_capture.toml index faf38d488..a2c3d6981 100644 --- a/rules/windows/collection_posh_clipboard_capture.toml +++ b/rules/windows/collection_posh_clipboard_capture.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/03" [rule] author = ["Elastic"] @@ -105,7 +105,7 @@ event.category:process and host.os.type:windows and ) and not user.id : "S-1-5-18" and not ( - file.path : C\:\\Program?Files\\WindowsPowerShell\\*Modules*.ps1 and + file.path : *WindowsPowerShell\\Modules\\*.ps1 and file.name : ("Convert-ExcelRangeToImage.ps1" or "Read-Clipboard.ps1") ) ''' diff --git a/rules/windows/collection_posh_mailbox.toml b/rules/windows/collection_posh_mailbox.toml index 9a8eacb6f..df27f3382 100644 --- a/rules/windows/collection_posh_mailbox.toml +++ b/rules/windows/collection_posh_mailbox.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/03" [rule] author = ["Elastic"] @@ -93,16 +93,23 @@ type = "query" query = ''' event.category:process and host.os.type:windows and ( - powershell.file.script_block_text : ( - "Microsoft.Office.Interop.Outlook" or - "Interop.Outlook.olDefaultFolders" or - "::olFolderInBox" - ) or - powershell.file.script_block_text : ( - "Microsoft.Exchange.WebServices.Data.Folder" or - "Microsoft.Exchange.WebServices.Data.FileAttachment" - ) - ) and not user.id : "S-1-5-18" + ( + powershell.file.script_block_text : ( + "Microsoft.Office.Interop.Outlook" or + "Interop.Outlook.olDefaultFolders" or + "olFolderInBox" or + "Outlook.Application" + ) and powershell.file.script_block_text : ("MAPI" or "GetDefaultFolder" or "GetNamespace" or "Session" or "GetSharedDefaultFolder") + ) or + ( + powershell.file.script_block_text : ( + "Microsoft.Exchange.WebServices.Data.Folder" or + "Microsoft.Exchange.WebServices.Data.FileAttachment" or + "Microsoft.Exchange.WebServices.Data.ExchangeService" + ) and + powershell.file.script_block_text : ("FindItems" or "Bind" or "WellKnownFolderName" or "FolderId" or "ItemView" or "PropertySet" or "SearchFilter" or "Attachments") + ) + ) ''' diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index fefc704e0..ff75f0e46 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/24" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/03" [rule] author = ["Elastic"] @@ -53,7 +53,7 @@ references = [ "https://cobalt.io/blog/kerberoast-attack-techniques", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1", ] -risk_score = 47 +risk_score = 73 rule_id = "eb610e70-f9e6-4949-82b9-f1c5bcd37c39" setup = """## Setup @@ -73,7 +73,7 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", diff --git a/rules_building_block/defense_evasion_posh_defender_tampering.toml b/rules/windows/defense_evasion_posh_defender_tampering.toml similarity index 95% rename from rules_building_block/defense_evasion_posh_defender_tampering.toml rename to rules/windows/defense_evasion_posh_defender_tampering.toml index 91d9ec2d5..d449c6048 100644 --- a/rules_building_block/defense_evasion_posh_defender_tampering.toml +++ b/rules/windows/defense_evasion_posh_defender_tampering.toml @@ -1,13 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2024/09/11" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/03" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies PowerShell scripts containing cmdlets and parameters that attackers can abuse to disable Windows Defender features. Attackers can tamper with antivirus to reduce the risk of detection when executing their payloads. @@ -44,7 +42,6 @@ tags = [ "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", - "Rule Type: BBR", ] timestamp_override = "event.ingested" type = "query" @@ -67,7 +64,8 @@ not powershell.file.script_block_text : ( ("cmdletization" and "cdxml-Help.xml") or ("function Set-MpPreference" and "Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.SubmitSamplesConsentType") ) and -not file.directory : "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM" +not file.directory : "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM" and +not user.id : "S-1-5-18" ''' diff --git a/rules/windows/discovery_posh_invoke_sharefinder.toml b/rules/windows/discovery_posh_invoke_sharefinder.toml index 5343b81ad..6fbd18e79 100644 --- a/rules/windows/discovery_posh_invoke_sharefinder.toml +++ b/rules/windows/discovery_posh_invoke_sharefinder.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/03" [rule] author = ["Elastic"] @@ -53,7 +53,7 @@ references = [ "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", ] -risk_score = 47 +risk_score = 73 rule_id = "4c59cff1-b78a-41b8-a9f1-4231984d1fb6" setup = """## Setup @@ -74,7 +74,7 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", diff --git a/rules/windows/execution_posh_hacktool_authors.toml b/rules/windows/execution_posh_hacktool_authors.toml index 6963b49e3..944a18a87 100644 --- a/rules/windows/execution_posh_hacktool_authors.toml +++ b/rules/windows/execution_posh_hacktool_authors.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/08" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/03" [rule] author = ["Elastic"] @@ -53,7 +53,7 @@ PowerShell is a powerful scripting language and automation framework used in Win references = [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", ] -risk_score = 73 +risk_score = 47 rule_id = "2553a9af-52a4-4a05-bb03-85b2a479a0a0" setup = """## Setup @@ -73,7 +73,7 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -severity = "high" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", @@ -111,7 +111,8 @@ host.os.type:windows and event.category:process and "jaredcatkinson" or "ChrisTruncer" or "monoxgas" or "TheRealWover" or "splinter_code" - ) + ) and + not powershell.file.script_block_text : ("Get-UEFIDatabaseSigner" or "Posh-SSH") ''' diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml index 87fc33b86..0a0af1433 100644 --- a/rules/windows/execution_posh_hacktool_functions.toml +++ b/rules/windows/execution_posh_hacktool_functions.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2025/05/03" +updated_date = "2025/09/03" [transform] [[transform.osquery]] @@ -272,7 +272,7 @@ event.category:process and host.os.type:windows and "Invoke-SMBExec" or "Invoke-PSRemoting" or "Invoke-ExecuteMSBuild" or "Invoke-DCOM" or "Invoke-InveighRelay" or "Invoke-PsExec" or - "Invoke-SSHCommand" or "Find-ActiveUsersWMI" or + "Find-ActiveUsersWMI" or "Get-SystemDrivesWMI" or "Get-ActiveNICSWMI" or "Remove-Persistence" or "DNS_TXT_Pwnage" or "Execute-OnTime" or "HTTP-Backdoor" or diff --git a/rules_building_block/discovery_posh_password_policy.toml b/rules_building_block/discovery_posh_password_policy.toml index 2c41449a8..e655a6cac 100644 --- a/rules_building_block/discovery_posh_password_policy.toml +++ b/rules_building_block/discovery_posh_password_policy.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/03" [rule] author = ["Elastic"] @@ -80,14 +80,12 @@ event.category: "process" and host.os.type:windows and ) ) ) -) and not powershell.file.script_block_text : ( - "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" - ) - and not - ( - powershell.file.script_block_text : ("43c15630-959c-49e4-a977-758c5cc93408" and "CmdletsToExport" and "ActiveDirectory.Types.ps1xml") - ) - and not user.id : "S-1-5-18" +) and + +not powershell.file.script_block_text : ("sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators") and +not powershell.file.script_block_text : ("43c15630-959c-49e4-a977-758c5cc93408" and "CmdletsToExport" and "ActiveDirectory.Types.ps1xml") and +not file.directory: "C:\Program Files\LogicMonitor\Agent\tmp" and +not user.id : "S-1-5-18" '''