++, powershell.file.*

w0rk3r · w0rk3r · commit 16db3789c435 · 2025-12-02T09:07:23.000-03:00
diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml
@@ -104,12 +104,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
     Esql.script_block_pattern_count,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
-    powershell.file.script_block_entropy_bits,
-    powershell.file.script_block_surprisal_stdev,
-    powershell.file.script_block_length,
-    powershell.file.script_block_unique_symbols,
+    powershell.file.*
     file.name,
     file.directory,
     file.path,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml
@@ -103,12 +103,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
-    powershell.file.script_block_entropy_bits,
-    powershell.file.script_block_surprisal_stdev,
-    powershell.file.script_block_length,
-    powershell.file.script_block_unique_symbols,
+    powershell.file.*
     file.path,
     file.name,
     powershell.sequence,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml
@@ -105,12 +105,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
     Esql.script_block_pattern_count,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
-    powershell.file.script_block_entropy_bits,
-    powershell.file.script_block_surprisal_stdev,
-    powershell.file.script_block_length,
-    powershell.file.script_block_unique_symbols,
+    powershell.file.*
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml
@@ -101,12 +101,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
     Esql.script_block_pattern_count,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
-    powershell.file.script_block_entropy_bits,
-    powershell.file.script_block_surprisal_stdev,
-    powershell.file.script_block_length,
-    powershell.file.script_block_unique_symbols,
+    powershell.file.*
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml
@@ -106,12 +106,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_ratio,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
-    powershell.file.script_block_entropy_bits,
-    powershell.file.script_block_surprisal_stdev,
-    powershell.file.script_block_length,
-    powershell.file.script_block_unique_symbols,
+    powershell.file.*
     file.directory,
     file.path,
     powershell.sequence,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml
@@ -106,12 +106,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
-    powershell.file.script_block_entropy_bits,
-    powershell.file.script_block_surprisal_stdev,
-    powershell.file.script_block_length,
-    powershell.file.script_block_unique_symbols,
+    powershell.file.*
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml
@@ -107,12 +107,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
-    powershell.file.script_block_entropy_bits,
-    powershell.file.script_block_surprisal_stdev,
-    powershell.file.script_block_length,
-    powershell.file.script_block_unique_symbols,
+    powershell.file.*
     file.path,
     file.directory,
     powershell.sequence,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml b/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml
@@ -108,12 +108,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
-    powershell.file.script_block_entropy_bits,
-    powershell.file.script_block_surprisal_stdev,
-    powershell.file.script_block_length,
-    powershell.file.script_block_unique_symbols,
+    powershell.file.*
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml
@@ -104,12 +104,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
     Esql.script_block_pattern_count,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
-    powershell.file.script_block_entropy_bits,
-    powershell.file.script_block_surprisal_stdev,
-    powershell.file.script_block_length,
-    powershell.file.script_block_unique_symbols,
+    powershell.file.*
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml b/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml
@@ -106,12 +106,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
-    powershell.file.script_block_entropy_bits,
-    powershell.file.script_block_surprisal_stdev,
-    powershell.file.script_block_length,
-    powershell.file.script_block_unique_symbols,
+    powershell.file.*
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml
@@ -105,12 +105,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
-    powershell.file.script_block_entropy_bits,
-    powershell.file.script_block_surprisal_stdev,
-    powershell.file.script_block_length,
-    powershell.file.script_block_unique_symbols,
+    powershell.file.*
     file.path,
     file.directory,
     powershell.sequence,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml
@@ -113,12 +113,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_length,
     Esql.script_block_ratio,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
-    powershell.file.script_block_entropy_bits,
-    powershell.file.script_block_surprisal_stdev,
-    powershell.file.script_block_length,
-    powershell.file.script_block_unique_symbols,
+    powershell.file.*
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml
@@ -73,12 +73,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_length,
     Esql.script_block_ratio,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
-    powershell.file.script_block_entropy_bits,
-    powershell.file.script_block_surprisal_stdev,
-    powershell.file.script_block_length,
-    powershell.file.script_block_unique_symbols,
+    powershell.file.*
     file.path,
     file.directory,
     powershell.sequence,
