[Rule Tuning] Suspicious Windows Powershell Arguments (#4961)

(cherry picked from commit 58f62fd)

Author: w0rk3r

rules/windows/execution_windows_powershell_susp_args.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/09/06"
 integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/08/04"
 
 [rule]
 author = ["Elastic"]
@@ -58,9 +58,9 @@ PowerShell is a powerful scripting language and command-line shell used for task
 - Restore any affected files or system components from known good backups to ensure system integrity and functionality.
 - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised.
 - Implement additional monitoring and logging for PowerShell activities across the network to enhance detection of similar threats in the future."""
-risk_score = 73
+risk_score = 47
 rule_id = "83bf249e-4348-47ba-9741-1202a09556ad"
-severity = "high"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
@@ -79,9 +79,15 @@ type = "eql"
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
  process.name : "powershell.exe" and
+
+  not (
+    user.id == "S-1-5-18" and
+    /* Don't apply the user.id exclusion to Sysmon for compatibility */
+    not event.dataset : ("windows.sysmon_operational", "windows.sysmon")
+  ) and
+
   (
-   process.command_line :
-        (
+    process.command_line : (
           "*^*^*^*^*^*^*^*^*^*",
           "*`*`*`*`*",
           "*+*+*+*+*+*+*",
@@ -103,6 +109,7 @@ process where host.os.type == "windows" and event.type == "start" and
           "*DownloadString*",
           "* iex*",
           "* iwr*",
+          "* aQB3AHIAIABpA*",
           "*Reflection.Assembly*",
           "*Assembly.GetType*",
           "*$env:temp\\*start*",
@@ -124,21 +131,36 @@ process where host.os.type == "windows" and event.type == "start" and
           "*.content|i''Ex*",
           "*//:sptth*",
           "*//:ptth*",
+          "*h''t''t''p*",
+          "*'tp'':''/'*",
+          "*$env:T\"E\"MP*",
+          "*;cmd /c $?",
+          "*s''t''a''r*",
           "*$*=Get-Content*AppData*.SubString(*$*",
-          "*=cat *AppData*.substring(*);*$*"
-        ) or
-
-      (process.args : "-c" and process.args : "&{'*") or
-
-      (process.args : "-Outfile" and process.args : "Start*") or
-
-      (process.args : "-bxor" and process.args : "0x*") or
-
-      process.args : "$*$*;set-alias" or
-
-      (process.parent.name : ("explorer.exe", "cmd.exe") and
-       process.command_line : ("*-encodedCommand*", "*Invoke-webrequest*", "*WebClient*", "*Reflection.Assembly*"))
-  )
+          "*=cat *AppData*.substring(*);*$*",
+          "*-join'';*|powershell*",
+          "*.Content;sleep *|powershell*",
+          "*h\''t\''tp:\''*",
+          "*-e aQB3AHIAIABp*",
+          "*iwr *https*).Content*",
+          "*$env:computername*http*",
+          "*;InVoKe-ExpRESsIoN $COntent.CONTENt;*",
+          "*WebClient*example.com*",
+          "*=iwr $*;iex $*"
+    ) or
+
+    (process.args : "-c" and process.args : "&{'*") or
+
+    (process.args : "-Outfile" and process.args : "Start*") or
+
+    (process.args : "-bxor" and process.args : "0x*") or
+
+    process.args : "$*$*;set-alias" or
+
+    (
+      process.parent.name : ("explorer.exe", "cmd.exe") and
+      process.command_line : ("*-encodedCommand*", "*Invoke-webrequest*", "*WebClient*", "*Reflection.Assembly*"))
+    )
 '''