[Rule Tuning] PowerShell Rules (#3903)

Author: w0rk3r

rules/windows/collection_posh_keylogger.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/10/15"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/17"
 
 [rule]
 author = ["Elastic"]
@@ -57,7 +57,7 @@ references = [
     "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1",
     "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1",
 ]
-risk_score = 47
+risk_score = 73
 rule_id = "bd2c86a0-8b61-4457-ab38-96943984e889"
 setup = """## Setup
 
@@ -77,7 +77,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",

rules/windows/credential_access_posh_invoke_ninjacopy.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/01/23"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/17"
 
 [rule]
 author = ["Elastic"]
@@ -50,9 +50,9 @@ Invoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that wer
 references = [
     "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1",
 ]
-risk_score = 47
+risk_score = 73
 rule_id = "b8386923-b02c-4b94-986a-d223d9b01f88"
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",

rules/windows/credential_access_posh_kerb_ticket_dump.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/07/26"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/17"
 
 [rule]
 author = ["Elastic"]
@@ -61,7 +61,7 @@ This rule indicates the use of scripts that contain code capable of dumping Kerb
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 """
 references = ["https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1"]
-risk_score = 47
+risk_score = 73
 rule_id = "fddff193-48a3-484d-8d35-90bb3d323a56"
 setup = """## Setup
 
@@ -81,7 +81,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",

rules/windows/credential_access_posh_relay_tools.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/03/27"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/17"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ references = [
     "https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1",
     "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1",
 ]
-risk_score = 47
+risk_score = 73
 rule_id = "951779c2-82ad-4a6c-82b8-296c1f691449"
 setup = """## Setup
 
@@ -42,7 +42,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
@@ -63,7 +63,8 @@ event.category:process and host.os.type:windows and
     "0x4e,0x54,0x20,0x4c,0x4d" or
     "0x53,0x4d,0x42,0x20,0x32" or
     "0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38"
-  )
+  ) and
+  not file.directory : "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads"
 '''
 
 

rules/windows/defense_evasion_posh_assembly_load.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+."
 min_stack_version = "8.12.0"
-updated_date = "2024/03/12"
+updated_date = "2024/07/17"
 
 [transform]
 [[transform.osquery]]
@@ -142,6 +142,9 @@ event.category:process and host.os.type:windows and
         ("Get-SolutionFiles" or "Get-VisualStudio" or "Select-MSBuildPath") and
         file.name : "PathFunctions.ps1"
   ) and
+  not powershell.file.script_block_text : (
+        "Microsoft.PowerShell.Workflow.ServiceCore" and "ExtractPluginProperties([string]$pluginDir"
+  ) and
   not user.id : "S-1-5-18"
 '''
 

rules/windows/defense_evasion_posh_compressed.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+."
 min_stack_version = "8.12.0"
-updated_date = "2024/03/12"
+updated_date = "2024/07/17"
 
 [transform]
 [[transform.osquery]]
@@ -103,7 +103,7 @@ Attackers can embed compressed and encoded payloads in scripts to load directly
 - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 """
-risk_score = 47
+risk_score = 73
 rule_id = "81fe9dc6-a2d7-4192-a2d8-eed98afc766a"
 setup = """## Setup
 
@@ -123,7 +123,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "medium"
+severity = "high"
 tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"]
 timestamp_override = "event.ingested"
 type = "query"

rules/windows/defense_evasion_posh_encryption.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/01/23"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/17"
 
 [rule]
 author = ["Elastic"]
@@ -81,7 +81,12 @@ event.category:process and host.os.type:windows and
       ".CreateEncryptor" or
       ".CreateDecryptor"
     )
-  ) and not user.id : "S-1-5-18"
+  ) and
+  not user.id : "S-1-5-18" and
+  not (
+    file.name : "Bootstrap.Octopus.FunctionAppenderContext.ps1" and
+    powershell.file.script_block_text : ("function Decrypt-Variables" or "github.com/OctopusDeploy")
+  )
 '''
 
 

rules/windows/defense_evasion_posh_process_injection.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/10/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/17"
 
 [rule]
 author = ["Elastic"]
@@ -60,7 +60,7 @@ references = [
     "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1",
     "https://www.elastic.co/security-labs/detect-credential-access",
 ]
-risk_score = 47
+risk_score = 73
 rule_id = "2e29e96a-b67c-455a-afe4-de6183431d0d"
 setup = """## Setup
 
@@ -80,7 +80,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
@@ -101,8 +101,10 @@ event.category:process and host.os.type:windows and
    (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or
       SuspendThread or ResumeThread or GetDelegateForFunctionPointer)
   ) and not 
-  (user.id:("S-1-5-18" or "S-1-5-19") and
-   file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM")
+  file.directory: (
+    "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM" or
+    "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads"
+  )
 '''
 
 

rules/windows/discovery_posh_suspicious_api_functions.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+."
 min_stack_version = "8.12.0"
-updated_date = "2024/03/12"
+updated_date = "2024/07/17"
 
 [rule]
 author = ["Elastic"]
@@ -57,7 +57,7 @@ references = [
     "https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413",
     "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md",
 ]
-risk_score = 47
+risk_score = 21
 rule_id = "61ac3638-40a3-44b2-855a-985636ca985e"
 setup = """## Setup
 
@@ -77,7 +77,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "medium"
+severity = "low"
 tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"]
 timestamp_override = "event.ingested"
 type = "query"
@@ -109,6 +109,11 @@ event.category:process and host.os.type:windows and
     LsaEnumerateTrustedDomains  or
     NetScheduleJobEnum or
     NetUserModalsGet
+  ) and
+  not powershell.file.script_block_text : (
+    ("DsGetSiteName" and ("DiscoverWindowsComputerProperties.ps1" and "param($SourceType, $SourceId, $ManagedEntityId, $ComputerIdentity)")) or
+    ("# Copyright: (c) 2018, Ansible Project" and "#Requires -Module Ansible.ModuleUtils.AddType" and "#AnsibleRequires -CSharpUtil Ansible.Basic") or
+    ("Ansible.Windows.Setup" and "Ansible.Windows.Setup" and "NativeMethods.NetWkstaGetInfo(null, 100, out netBuffer);")
   )
 '''
 

rules/windows/execution_posh_hacktool_authors.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/05/08"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/17"
 
 [rule]
 author = ["Elastic"]
@@ -73,9 +73,9 @@ host.os.type:windows and event.category:process and
       "itm4n" or "nurfed1" or
       "cfalta" or "Scott Sutherland" or
       "_nullbind" or "_tmenochet" or
-      "Boe Prox" or "jaredcatkinson" or
-      "ChrisTruncer" or "monoxgas" or
-      "TheRealWover" or "splinter_code"
+      "jaredcatkinson" or "ChrisTruncer" or
+      "monoxgas" or "TheRealWover" or
+      "splinter_code"
   )
 '''