[Rule Tuning] Suspicious PowerShell Engine ImageLoad (#2721)

* [Rule Tuning] Suspicious PowerShell Engine ImageLoad

* Update rules/windows/execution_suspicious_powershell_imgload.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

rules/windows/execution_suspicious_powershell_imgload.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/11/17"
-integration = ["endpoint", "windows"]
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/06/29"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the PowerShell engine being invoked by unexpected processes. Rather t
 with powershell.exe, some attackers do this to operate more stealthily.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
+index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious PowerShell Engine ImageLoad"
@@ -59,28 +59,6 @@ Attackers can use PowerShell without having to execute `PowerShell.exe` directly
 - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
 - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
-
-## Setup
-
-The 'PowerShell Script Block Logging' logging policy must be enabled.
-Steps to implement the logging policy with with Advanced Audit Configuration:
-
-```
-Computer Configuration >
-Administrative Templates >
-Windows PowerShell >
-Turn on PowerShell Script Block Logging (Enable)
-```
-
-Steps to implement the logging policy via registry:
-
-```
-reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
-```
-
-## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
 risk_score = 47
 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3"
@@ -90,64 +68,36 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where host.os.type == "windows" and (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
- (dll.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") or
-  file.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll")) and
-
-/* add false positives relevant to your environment here */
-not process.executable : ("C:\\Windows\\System32\\RemoteFXvGPUDisablement.exe", "C:\\Windows\\System32\\sdiagnhost.exe") and
-not process.executable regex~ """C:\\Program Files( \(x86\))?\\*\.exe""" and
-  not process.name :
+library where host.os.type == "windows" and
+  dll.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") and
+  not 
   (
-    "Altaro.SubAgent.exe",
-    "AppV_Manage.exe",
-    "azureadconnect.exe",
-    "CcmExec.exe",
-    "configsyncrun.exe",
-    "choco.exe",
-    "ctxappvservice.exe",
-    "DVLS.Console.exe",
-    "edgetransport.exe",
-    "exsetup.exe",
-    "forefrontactivedirectoryconnector.exe",
-    "InstallUtil.exe",
-    "JenkinsOnDesktop.exe",
-    "Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe",
-    "mmc.exe",
-    "mscorsvw.exe",
-    "msexchangedelivery.exe",
-    "msexchangefrontendtransport.exe",
-    "msexchangehmworker.exe",
-    "msexchangesubmission.exe",
-    "msiexec.exe",
-    "MsiExec.exe",
-    "noderunner.exe",
-    "NServiceBus.Host.exe",
-    "NServiceBus.Host32.exe",
-    "NServiceBus.Hosting.Azure.HostProcess.exe",
-    "OuiGui.WPF.exe",
-    "powershell.exe",
-    "powershell_ise.exe",
-    "pwsh.exe",
-    "SCCMCliCtrWPF.exe",
-    "ScriptEditor.exe",
-    "ScriptRunner.exe",
-    "sdiagnhost.exe",
-    "servermanager.exe",
-    "setup100.exe",
-    "ServiceHub.VSDetouredHost.exe",
-    "SPCAF.Client.exe",
-    "SPCAF.SettingsEditor.exe",
-    "SQLPS.exe",
-    "Ssms.exe",
-    "telemetryservice.exe",
-    "UMWorkerProcess.exe",
-    "w3wp.exe",
-    "wsmprovhost.exe"
+    /* MS Signed Binaries */
+    (
+      process.code_signature.subject_name : (
+        "Microsoft Windows",
+        "Microsoft Dynamic Code Publisher",
+        "Microsoft Corporation"
+      ) and process.code_signature.trusted == true and not process.name : ("rundll32.exe", "regsvr32.exe")
+    ) or
+
+    /* Signed Executables from the Program Files folder */
+    (
+      process.executable : (
+        "?:\\Program Files (x86)\\*.exe",
+        "?:\\Program Files\\*.exe"
+      ) and process.code_signature.trusted == true
+    ) or
+
+    /* Lenovo */
+    (
+      process.executable : (
+        "?:\\Windows\\Lenovo\\*.exe"
+      ) and (process.code_signature.subject_name : "Lenovo" and process.code_signature.trusted == true) 
+    )
   )
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]