From ee548328d56c2e6ec31ece0ac0d01ae6cf3b89bf Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Wed, 8 Dec 2021 11:51:32 -0300
Subject: [PATCH] [Rule Tuning] Powershell Defender Exclusion (#1644)

* Split process.args condition

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
---
 .../defense_evasion_defender_exclusion_via_powershell.toml   | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
index 75509d400..fbb2eed01 100644
--- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
+++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/20"
 maturity = "production"
-updated_date = "2021/10/17"
+updated_date = "2021/12/03"
 
 [rule]
 author = ["Elastic"]
@@ -58,7 +58,8 @@ type = "eql"
 query = '''
 process where event.type == "start" and
  (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and
-  process.args : ("*Add-MpPreference*-Exclusion*", "*Set-MpPreference*-Exclusion*")
+  process.args : ("*Add-MpPreference*", "*Set-MpPreference*") and
+  process.args : ("*-Exclusion*")
 '''