[Rule Tuning] PowerShell Rules (#5056)

w0rk3r · web-flow · commit aa97487b2001 · 2025-09-11T16:54:11.000-07:00
* [Rule Tuning] PowerShell Rules * Update defense_evasion_posh_defender_tampering.toml * [Rule Tuning] Connection to Commonly Abused Web Services * Revert "[Rule Tuning] Connection to Commonly Abused Web Services" This reverts commit 74dcea0.
diff --git a/rules/windows/collection_mailbox_export_winlog.toml b/rules/windows/collection_mailbox_export_winlog.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/01/11"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/03"
 
 [rule]
 author = ["Elastic"]
@@ -80,26 +80,20 @@ event.category:process and host.os.type:windows and
 
 
 [[rule.filters]]
-
 [rule.filters.meta]
 negate = true
 [rule.filters.query.wildcard."file.path"]
 case_insensitive = true
 value = "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*"
-[[rule.filters]]
 
-[rule.filters.meta]
-negate = true
-[rule.filters.query.wildcard."file.path"]
-case_insensitive = true
-value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"
 [[rule.filters]]
-
 [rule.filters.meta]
 negate = true
 [rule.filters.query.wildcard."file.path"]
 case_insensitive = true
-value = "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"
+value = "*\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"
+
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/10/19"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/03"
 
 [rule]
 author = ["Elastic"]
@@ -52,7 +52,7 @@ Attackers can use PowerShell to interact with the Windows API with the intent of
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 """
 references = ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"]
-risk_score = 47
+risk_score = 73
 rule_id = "2f2f4939-0b34-40c2-a0a3-844eb7889f43"
 setup = """## Setup
 
@@ -72,7 +72,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
diff --git a/rules/windows/collection_posh_clipboard_capture.toml b/rules/windows/collection_posh_clipboard_capture.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/01/12"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/03"
 
 [rule]
 author = ["Elastic"]
@@ -105,7 +105,7 @@ event.category:process and host.os.type:windows and
   ) and
   not user.id : "S-1-5-18" and
   not (
-    file.path : C\:\\Program?Files\\WindowsPowerShell\\*Modules*.ps1 and
+    file.path : *WindowsPowerShell\\Modules\\*.ps1 and
     file.name : ("Convert-ExcelRangeToImage.ps1" or "Read-Clipboard.ps1")
   )
 '''
diff --git a/rules/windows/collection_posh_mailbox.toml b/rules/windows/collection_posh_mailbox.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/01/11"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/03"
 
 [rule]
 author = ["Elastic"]
@@ -93,16 +93,23 @@ type = "query"
 query = '''
 event.category:process and host.os.type:windows and
   (
-   powershell.file.script_block_text : (
-      "Microsoft.Office.Interop.Outlook" or
-      "Interop.Outlook.olDefaultFolders" or
-      "::olFolderInBox"
-   ) or
-   powershell.file.script_block_text : (
-      "Microsoft.Exchange.WebServices.Data.Folder" or
-      "Microsoft.Exchange.WebServices.Data.FileAttachment"
-   )
-  ) and not user.id : "S-1-5-18"
+    (
+      powershell.file.script_block_text : (
+        "Microsoft.Office.Interop.Outlook" or
+        "Interop.Outlook.olDefaultFolders" or
+        "olFolderInBox" or
+        "Outlook.Application"
+      ) and powershell.file.script_block_text : ("MAPI" or "GetDefaultFolder" or "GetNamespace" or "Session" or "GetSharedDefaultFolder")
+    ) or
+    (
+      powershell.file.script_block_text : (
+        "Microsoft.Exchange.WebServices.Data.Folder" or
+        "Microsoft.Exchange.WebServices.Data.FileAttachment" or
+        "Microsoft.Exchange.WebServices.Data.ExchangeService"
+      ) and
+      powershell.file.script_block_text : ("FindItems" or "Bind" or "WellKnownFolderName" or "FolderId" or "ItemView" or "PropertySet" or "SearchFilter" or "Attachments")
+    )
+  )
 '''
 
 
diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/01/24"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/03"
 
 [rule]
 author = ["Elastic"]
@@ -53,7 +53,7 @@ references = [
     "https://cobalt.io/blog/kerberoast-attack-techniques",
     "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1",
 ]
-risk_score = 47
+risk_score = 73
 rule_id = "eb610e70-f9e6-4949-82b9-f1c5bcd37c39"
 setup = """## Setup
 
@@ -73,7 +73,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
diff --git a/rules/windows/defense_evasion_posh_defender_tampering.toml b/rules/windows/defense_evasion_posh_defender_tampering.toml
@@ -1,13 +1,11 @@
 [metadata]
-bypass_bbr_timing = true
 creation_date = "2024/09/11"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/03"
 
 [rule]
 author = ["Elastic"]
-building_block_type = "default"
 description = """
 Identifies PowerShell scripts containing cmdlets and parameters that attackers can abuse to disable Windows Defender
 features. Attackers can tamper with antivirus to reduce the risk of detection when executing their payloads.
@@ -44,7 +42,6 @@ tags = [
     "Use Case: Threat Detection",
     "Tactic: Defense Evasion",
     "Data Source: PowerShell Logs",
-    "Rule Type: BBR",
 ]
 timestamp_override = "event.ingested"
 type = "query"
@@ -67,7 +64,8 @@ not powershell.file.script_block_text : (
   ("cmdletization" and "cdxml-Help.xml") or
   ("function Set-MpPreference" and "Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.SubmitSamplesConsentType")
 ) and
-not file.directory : "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM"
+not file.directory : "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM" and
+not user.id : "S-1-5-18"
 '''
 
 
diff --git a/rules/windows/discovery_posh_invoke_sharefinder.toml b/rules/windows/discovery_posh_invoke_sharefinder.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/08/17"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/03"
 
 [rule]
 author = ["Elastic"]
@@ -53,7 +53,7 @@ references = [
     "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/",
     "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md",
 ]
-risk_score = 47
+risk_score = 73
 rule_id = "4c59cff1-b78a-41b8-a9f1-4231984d1fb6"
 setup = """## Setup
 
@@ -74,7 +74,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
diff --git a/rules/windows/execution_posh_hacktool_authors.toml b/rules/windows/execution_posh_hacktool_authors.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/08"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/03"
 
 [rule]
 author = ["Elastic"]
@@ -53,7 +53,7 @@ PowerShell is a powerful scripting language and automation framework used in Win
 references = [
     "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md",
 ]
-risk_score = 73
+risk_score = 47
 rule_id = "2553a9af-52a4-4a05-bb03-85b2a479a0a0"
 setup = """## Setup
 
@@ -73,7 +73,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "high"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
@@ -111,7 +111,8 @@ host.os.type:windows and event.category:process and
       "jaredcatkinson" or "ChrisTruncer" or
       "monoxgas" or "TheRealWover" or
       "splinter_code"
-  )
+  ) and
+  not powershell.file.script_block_text : ("Get-UEFIDatabaseSigner" or "Posh-SSH")
 '''
 
 
diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/01/17"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/05/03"
+updated_date = "2025/09/03"
 
 [transform]
 [[transform.osquery]]
@@ -272,7 +272,7 @@ event.category:process and host.os.type:windows and
     "Invoke-SMBExec" or "Invoke-PSRemoting" or
     "Invoke-ExecuteMSBuild" or "Invoke-DCOM" or
     "Invoke-InveighRelay" or "Invoke-PsExec" or
-    "Invoke-SSHCommand" or "Find-ActiveUsersWMI" or
+    "Find-ActiveUsersWMI" or
     "Get-SystemDrivesWMI" or "Get-ActiveNICSWMI" or
     "Remove-Persistence" or "DNS_TXT_Pwnage" or
     "Execute-OnTime" or "HTTP-Backdoor" or
diff --git a/rules_building_block/discovery_posh_password_policy.toml b/rules_building_block/discovery_posh_password_policy.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/07/12"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/03"
 
 [rule]
 author = ["Elastic"]
@@ -80,14 +80,12 @@ event.category: "process" and host.os.type:windows and
       )
     )
   )
-) and not powershell.file.script_block_text : (
-    "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
-  )
-  and not 
-  (
-    powershell.file.script_block_text : ("43c15630-959c-49e4-a977-758c5cc93408" and "CmdletsToExport" and "ActiveDirectory.Types.ps1xml")
-  )
-  and not user.id : "S-1-5-18"
+) and
+
+not powershell.file.script_block_text : ("sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators") and
+not powershell.file.script_block_text : ("43c15630-959c-49e4-a977-758c5cc93408" and "CmdletsToExport" and "ActiveDirectory.Types.ps1xml") and
+not file.directory: "C:\Program Files\LogicMonitor\Agent\tmp" and
+not user.id : "S-1-5-18"
 '''
 
 
