++

w0rk3r · w0rk3r · commit 5022de035a6f · 2025-12-02T09:09:17.000-03:00
diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml
@@ -104,7 +104,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
     Esql.script_block_pattern_count,
     Esql.script_block_tmp,
-    powershell.file.*
+    powershell.file.*,
     file.name,
     file.directory,
     file.path,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml
@@ -103,7 +103,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.*
+    powershell.file.*,
     file.path,
     file.name,
     powershell.sequence,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml
@@ -105,7 +105,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
     Esql.script_block_pattern_count,
     Esql.script_block_tmp,
-    powershell.file.*
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml
@@ -101,7 +101,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
     Esql.script_block_pattern_count,
     Esql.script_block_tmp,
-    powershell.file.*
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml
@@ -106,7 +106,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_ratio,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.*
+    powershell.file.*,
     file.directory,
     file.path,
     powershell.sequence,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml
@@ -106,7 +106,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.*
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml
@@ -107,7 +107,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.*
+    powershell.file.*,
     file.path,
     file.directory,
     powershell.sequence,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml b/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml
@@ -108,7 +108,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.*
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml
@@ -104,7 +104,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
     Esql.script_block_pattern_count,
     Esql.script_block_tmp,
-    powershell.file.*
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml b/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml
@@ -106,7 +106,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.*
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml
@@ -105,7 +105,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.*
+    powershell.file.*,
     file.path,
     file.directory,
     powershell.sequence,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml
@@ -113,7 +113,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_length,
     Esql.script_block_ratio,
     Esql.script_block_tmp,
-    powershell.file.*
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml
@@ -73,7 +73,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_length,
     Esql.script_block_ratio,
     Esql.script_block_tmp,
-    powershell.file.*
+    powershell.file.*,
     file.path,
     file.directory,
     powershell.sequence,
