[Rule Tuning] Potential PowerShell Obfuscated Script (#5389)

* [Rule Tuning] Potential PowerShell Obfuscated Script

* Update defense_evasion_posh_obfuscation.toml

Author: w0rk3r

rules/windows/defense_evasion_posh_obfuscation.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/07/03"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -91,7 +91,6 @@ event.category:process and host.os.type:windows and
     "[convert]::toint16" or
     "[char][int]$_" or
     ("ConvertTo-SecureString" and "PtrToStringAuto") or
-    ".GetNetworkCredential().password" or
     "-BXor" or
     ("replace" and "char") or
     "[array]::reverse" or
@@ -106,9 +105,33 @@ event.category:process and host.os.type:windows and
     ("$VerbosePreference" and "[1,3]+'X'-Join''") or
     ("rahc" or "ekovin" or "gnirts" or "ecnereferpesobrev" or "ecalper" or "cepsmoc" or "dillehs") or
     ("System.Management.Automation.$([cHAr]" or "System.$([cHAr]" or ")+[cHAR]([byte]")
+  ) and
+  not powershell.file.script_block_text : (
+        ("Copyright (c) 2018 Ansible Project" or "Export-ModuleMember -Function Add-CSharpType") and
+        ("[Object]$AnsibleModule" or "$AnsibleModule.Tmpdir")
   )
 '''
 
+[[rule.filters]]
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."file.directory"]
+case_insensitive = true
+value = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\*"
+
+[[rule.filters]]
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."file.directory"]
+case_insensitive = true
+value = "?:\\\\Program Files (x86)\\\\WindowsPowerShell\\\\Modules\\\\*"
+
+[[rule.filters]]
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."file.path"]
+case_insensitive = true
+value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*"
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"