[Rule Tuning] PowerShell Rules - Misc Tuning/Severity Bumps (#5486)

w0rk3r · tradebot-elastic · commit a4be73339df0 · 2025-12-18T11:33:24.000Z
* [Rule Tuning] PowerShell Misc Tuning/Severity Bump * bump sev (cherry picked from commit a9bdfaa)
diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/12/09"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -117,8 +117,8 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     agent.id,
     user.id
 
-// Filter for scripts that match the pattern at least 10 times
-| where Esql.script_block_pattern_count >= 10
+// Filter for scripts that match the pattern at least 20 times
+| where Esql.script_block_pattern_count >= 20
 
 | where file.name not like "TSS_*.psm1"
   // ESQL requires this condition, otherwise it only returns matches where file.name exists.
diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/12/09"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -51,7 +51,7 @@ PowerShell, a powerful scripting language in Windows environments, can be exploi
 - Implement enhanced monitoring on the affected host and similar systems to detect any recurrence of obfuscation techniques or related suspicious activities.
 - Update endpoint protection and intrusion detection systems with indicators of compromise (IOCs) derived from the analysis to improve detection capabilities for similar threats in the future.
 """
-risk_score = 21
+risk_score = 73
 rule_id = "d43f2b43-02a1-4219-8ce9-10929a32a618"
 setup = """## Setup
 
@@ -71,7 +71,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "low"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
diff --git a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/12/09"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -51,7 +51,7 @@ PowerShell, a powerful scripting language, is often targeted by adversaries for
 - Update endpoint protection and ensure that AMSI and other security features are fully enabled and configured to detect similar threats.
 - Escalate the incident to the security operations center (SOC) for further analysis and to determine if additional systems are affected.
 """
-risk_score = 21
+risk_score = 73
 rule_id = "85e2d45e-a3df-4acf-83d3-21805f564ff4"
 setup = """## Setup
 
@@ -71,7 +71,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "low"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
diff --git a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/12/09"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -50,7 +50,7 @@ PowerShell is a powerful scripting language used for task automation and configu
 - Escalate the incident to the security operations team for further analysis and to determine if additional systems have been compromised.
 - Update endpoint protection and monitoring tools to enhance detection capabilities for similar obfuscation techniques, leveraging insights from the MITRE ATT&CK framework.
 """
-risk_score = 21
+risk_score = 73
 rule_id = "083383af-b9a4-42b7-a463-29c40efe7797"
 setup = """## Setup
 
@@ -70,7 +70,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "low"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
diff --git a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/12/09"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -119,12 +119,15 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     user.id
 
 // Filter for scripts with high numeric character ratio
-| where Esql.script_block_ratio > 0.30
+| where Esql.script_block_ratio > 0.35
 
 // Exclude Windows Defender Noisy Patterns
 | where not (
     file.directory == "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads" or
-    file.directory like "C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection*"
+    file.directory like (
+        "C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection*",
+        "C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent*"
+    )
   )
   // ESQL requires this condition, otherwise it only returns matches where file.directory exists.
   or file.directory is null
diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/03"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/12/09"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -117,8 +117,8 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     agent.id,
     user.id
 
-// Filter for scripts that match the pattern at least four times
-| where Esql.script_block_pattern_count >= 4
+// Filter for scripts that match the pattern at least five times
+| where Esql.script_block_pattern_count >= 5
 
 // Exclude Noisy Patterns
 
diff --git a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml
@@ -3,7 +3,7 @@ bypass_bbr_timing = true
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/12/09"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -86,7 +86,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     user.id
 
 // Filter for scripts with high special character ratio
-| where Esql.script_block_ratio > 0.30
+| where Esql.script_block_ratio > 0.35
 
 // Exclude Noisy Patterns
 | where not file.directory like "C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"
