[Rule Tuning] ES|QL PowerShell Rules (#4984)

(cherry picked from commit 0507bcd)

Author: w0rk3r

rules/windows/defense_evasion_posh_obfuscation_backtick.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/08/14"
 
 [rule]
 author = ["Elastic"]
@@ -107,6 +107,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     powershell.file.script_block_text,
     powershell.file.script_block_id,
     file.name,
+    file.directory,
     file.path,
     powershell.sequence,
     powershell.total,
@@ -119,11 +120,16 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 // Filter for scripts that match the pattern at least 10 times
 | where Esql.script_block_pattern_count >= 10
 
-// Filter FPs, and due to the behavior of the like operator, allow null values
-| where (file.name not like "TSS_*.psm1" or file.name is null)
+| where file.name not like "TSS_*.psm1"
+  // ESQL requires this condition, otherwise it only returns matches where file.name exists.
+  or file.name is null
 
 // VSCode Shell integration
 | where not powershell.file.script_block_text like "*$([char]0x1b)]633*"
+
+| where not file.directory == "C:\\Program Files\\MVPSI\\JAMS\\Agent\\Temp"
+  // ESQL requires this condition, otherwise it only returns matches where file.directory exists.
+  or file.directory is null
 '''
 
 

rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/08/14"
 
 [rule]
 author = ["Elastic"]
@@ -108,6 +108,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_tmp,
     powershell.file.script_block_text,
     powershell.file.script_block_id,
+    file.directory,
     file.path,
     powershell.sequence,
     powershell.total,
@@ -120,8 +121,15 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 // Filter for scripts with high numeric character ratio
 | where Esql.script_block_ratio > 0.30
 
-// Exclude noisy patterns such as 64-character hash lists
-| where not powershell.file.script_block_text rlike """.*\"[a-fA-F0-9]{64}\"\,.*"""
+// Exclude Windows Defender Noisy Patterns
+| where not (
+    file.directory == "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads" or
+    file.directory like "C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection*"
+  )
+  // ESQL requires this condition, otherwise it only returns matches where file.directory exists.
+  or file.directory is null
+| where not powershell.file.script_block_text like "*[System.IO.File]::Open('C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection*"
+| where not powershell.file.script_block_text : "26a24ae4-039d-4ca4-87b4-2f64180311f0"
 '''
 
 

rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/08/14"
 
 [rule]
 author = ["Elastic"]
@@ -50,7 +50,7 @@ PowerShell's Invoke-Expression (IEX) command is a powerful tool for executing st
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 - Implement additional monitoring for unusual PowerShell activity and environment variable manipulations to enhance detection of similar threats in the future.
 """
-risk_score = 21
+risk_score = 47
 rule_id = "b0c98cfb-0745-4513-b6f9-08dddb033490"
 setup = """## Setup
 
@@ -70,7 +70,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "low"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",

rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/08/14"
 
 [rule]
 author = ["Elastic"]
@@ -110,6 +110,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     powershell.file.script_block_text,
     powershell.file.script_block_id,
     file.path,
+    file.directory,
     powershell.sequence,
     powershell.total,
     _id,
@@ -120,6 +121,13 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 
 // Filter for scripts that match the pattern at least once
 | where Esql.script_block_pattern_count >= 1
+
+| where not (
+    file.directory like "C:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\Maester\\\\1.1.0*" or
+    file.directory like "C:\\\\Users\\\\*\\\\Documents\\\\WindowsPowerShell\\\\Modules\\\\Maester\\\\1.1.0*"
+  )
+  // ESQL requires this condition, otherwise it only returns matches where file.directory exists.
+  or file.directory is null
 '''
 
 

rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/08/14"
 
 [rule]
 author = ["Elastic"]
@@ -93,7 +93,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 // The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1
 | eval Esql.script_block_tmp = replace(
     powershell.file.script_block_text,
-    """(?i)(rahc|metsys|stekcos|tcejboimw|ecalper|ecnerferpe|noitcennoc|nioj|eman\.|:vne|gnirts|tcejbo-wen|_23niw|noisserpxe|ekovni|daolnwod)""",
+    """(?i)(rahc|metsys|stekcos|tcejboimw|ecalper|ecnerferpe|noitcennoc|nioj|eman\.|:vne$|gnirts|tcejbo-wen|_23niw|noisserpxe|ekovni|daolnwod)""",
     "🔥"
 )
 

rules/windows/defense_evasion_posh_obfuscation_string_format.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/03"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/08/14"
 
 [rule]
 author = ["Elastic"]
@@ -108,7 +108,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     powershell.file.script_block_text,
     powershell.file.script_block_id,
     file.path,
-    file.name,
+    file.directory,
     powershell.sequence,
     powershell.total,
     _id,
@@ -123,8 +123,12 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 // Exclude Noisy Patterns
 
 // Icinga Framework
-| where (file.name not like "framework_cache.psm1" or file.name is null)
+| where not file.directory == "C:\\Program Files\\WindowsPowerShell\\Modules\\icinga-powershell-framework\\cache"
+  // ESQL requires this condition, otherwise it only returns matches where file.directory exists.
+  or file.directory IS NULL
 
+| where not (powershell.file.script_block_text LIKE "*GitBranchStatus*" AND 
+    powershell.file.script_block_text LIKE "*$s.BranchBehindStatusSymbol.Text*")
 | where not
     // https://wtfbins.wtf/17
     (

rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml

@@ -3,7 +3,7 @@ bypass_bbr_timing = true
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/08/14"
 
 [rule]
 author = ["Elastic"]
@@ -85,7 +85,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     user.id
 
 // Filter for scripts with high special character ratio
-| where Esql.script_block_ratio > 0.25
+| where Esql.script_block_ratio > 0.30
 '''