[Tuning] Powershell Atomics test gaps for T1059.001 (#5380)

Samirbous · tradebot-elastic · commit 7c1e656e6159 · 2025-12-01T15:09:16.000Z
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md (cherry picked from commit 5e1ac4f)
diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/01/17"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/09/03"
+updated_date = "2025/12/01"
 
 [transform]
 [[transform.osquery]]
@@ -321,7 +321,8 @@ event.category:process and host.os.type:windows and
     "Invoke-FileTransferOverWMI" or "Invoke-WMImplant" or
     "Invoke-WMIObfuscatedPSCommand" or "Invoke-WMIDuplicateClass" or
     "Invoke-WMIUpload" or "Invoke-WMIRemoteExtract" or "Invoke-winPEAS" or
-    "Invoke-AzureHound" or "Invoke-SharpHound"
+    "Invoke-AzureHound" or "Invoke-SharpHound" or "Invoke-DownloadCradle" or
+    "Invoke-AppPathBypass"
   ) and
   not powershell.file.script_block_text : (
     "sentinelbreakpoints" and "Set-PSBreakpoint"
diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/09/06"
 integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/09/18"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -150,7 +150,9 @@ process where host.os.type == "windows" and event.type == "start" and
           "*$env:computername*http*",
           "*;InVoKe-ExpRESsIoN $COntent.CONTENt;*",
           "*WebClient*example.com*",
-          "*=iwr $*;iex $*"
+          "*=iwr $*;iex $*",
+          "*ServerXmlHttp*IEX*",
+          "*XmlDocument*IEX*"
     ) or
 
     (process.args : "-c" and process.args : "&{'*") or
@@ -161,6 +163,11 @@ process where host.os.type == "windows" and event.type == "start" and
 
     process.args : "$*$*;set-alias" or
 
+    process.args == "-e" or
+
+    // ATHPowerShellCommandLineParameter
+    process.args : ("-EncodedCommandParamVariation", "-UseEncodedArguments", "-CommandParamVariation") or
+
     (
       process.parent.name : ("explorer.exe", "cmd.exe") and
       process.command_line : ("*-encodedCommand*", "*Invoke-webrequest*", "*WebClient*", "*Reflection.Assembly*"))
