diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml index 9f5e4004a80..5f96ae81198 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["windows"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -117,8 +117,8 @@ from logs-windows.powershell_operational* metadata _id, _version, _index agent.id, user.id -// Filter for scripts that match the pattern at least 10 times -| where Esql.script_block_pattern_count >= 10 +// Filter for scripts that match the pattern at least 20 times +| where Esql.script_block_pattern_count >= 20 | where file.name not like "TSS_*.psm1" // ESQL requires this condition, otherwise it only returns matches where file.name exists. diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml index 143799eb82d..eef823dd042 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -51,7 +51,7 @@ PowerShell, a powerful scripting language in Windows environments, can be exploi - Implement enhanced monitoring on the affected host and similar systems to detect any recurrence of obfuscation techniques or related suspicious activities. - Update endpoint protection and intrusion detection systems with indicators of compromise (IOCs) derived from the analysis to improve detection capabilities for similar threats in the future. """ -risk_score = 21 +risk_score = 73 rule_id = "d43f2b43-02a1-4219-8ce9-10929a32a618" setup = """## Setup @@ -71,7 +71,7 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -severity = "low" +severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", diff --git a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml index 336faa5d7e3..c69d95b4ac6 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -51,7 +51,7 @@ PowerShell, a powerful scripting language, is often targeted by adversaries for - Update endpoint protection and ensure that AMSI and other security features are fully enabled and configured to detect similar threats. - Escalate the incident to the security operations center (SOC) for further analysis and to determine if additional systems are affected. """ -risk_score = 21 +risk_score = 73 rule_id = "85e2d45e-a3df-4acf-83d3-21805f564ff4" setup = """## Setup @@ -71,7 +71,7 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -severity = "low" +severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", diff --git a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml index 7fad3b25bc8..61dc497df43 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["windows"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -50,7 +50,7 @@ PowerShell is a powerful scripting language used for task automation and configu - Escalate the incident to the security operations team for further analysis and to determine if additional systems have been compromised. - Update endpoint protection and monitoring tools to enhance detection capabilities for similar obfuscation techniques, leveraging insights from the MITRE ATT&CK framework. """ -risk_score = 21 +risk_score = 73 rule_id = "083383af-b9a4-42b7-a463-29c40efe7797" setup = """## Setup @@ -70,7 +70,7 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -severity = "low" +severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", diff --git a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml index 48488f670db..2a7e4c2938a 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -119,12 +119,15 @@ from logs-windows.powershell_operational* metadata _id, _version, _index user.id // Filter for scripts with high numeric character ratio -| where Esql.script_block_ratio > 0.30 +| where Esql.script_block_ratio > 0.35 // Exclude Windows Defender Noisy Patterns | where not ( file.directory == "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads" or - file.directory like "C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection*" + file.directory like ( + "C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection*", + "C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent*" + ) ) // ESQL requires this condition, otherwise it only returns matches where file.directory exists. or file.directory is null diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml index a803bad5e82..33fed8daa77 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/03" integration = ["windows"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -117,8 +117,8 @@ from logs-windows.powershell_operational* metadata _id, _version, _index agent.id, user.id -// Filter for scripts that match the pattern at least four times -| where Esql.script_block_pattern_count >= 4 +// Filter for scripts that match the pattern at least five times +| where Esql.script_block_pattern_count >= 5 // Exclude Noisy Patterns diff --git a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml index 42e6bd388e5..3d5b17f7cd0 100644 --- a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml +++ b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -86,7 +86,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index user.id // Filter for scripts with high special character ratio -| where Esql.script_block_ratio > 0.30 +| where Esql.script_block_ratio > 0.35 // Exclude Noisy Patterns | where not file.directory like "C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"