[Rule Tuning] PowerShell Rules (#3903)

Removed changes from:
- rules/windows/defense_evasion_posh_assembly_load.toml
- rules/windows/defense_evasion_posh_compressed.toml
- rules/windows/discovery_posh_suspicious_api_functions.toml
- rules/windows/execution_posh_psreflect.toml
- rules_building_block/collection_posh_compression.toml
- rules_building_block/defense_evasion_powershell_clear_logs_script.toml

(selectively cherry picked from commit 6bc1913)

Author: w0rk3r

rules/windows/collection_posh_keylogger.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/10/15"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/17"
 
 [rule]
 author = ["Elastic"]
@@ -57,7 +57,7 @@ references = [
     "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1",
     "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1",
 ]
-risk_score = 47
+risk_score = 73
 rule_id = "bd2c86a0-8b61-4457-ab38-96943984e889"
 setup = """## Setup
 
@@ -77,7 +77,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",

rules/windows/credential_access_posh_invoke_ninjacopy.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/01/23"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/17"
 
 [rule]
 author = ["Elastic"]
@@ -50,9 +50,9 @@ Invoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that wer
 references = [
     "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1",
 ]
-risk_score = 47
+risk_score = 73
 rule_id = "b8386923-b02c-4b94-986a-d223d9b01f88"
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",

rules/windows/credential_access_posh_kerb_ticket_dump.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/07/26"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/17"
 
 [rule]
 author = ["Elastic"]
@@ -61,7 +61,7 @@ This rule indicates the use of scripts that contain code capable of dumping Kerb
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 """
 references = ["https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1"]
-risk_score = 47
+risk_score = 73
 rule_id = "fddff193-48a3-484d-8d35-90bb3d323a56"
 setup = """## Setup
 
@@ -81,7 +81,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",

rules/windows/credential_access_posh_relay_tools.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/03/27"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/17"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ references = [
     "https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1",
     "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1",
 ]
-risk_score = 47
+risk_score = 73
 rule_id = "951779c2-82ad-4a6c-82b8-296c1f691449"
 setup = """## Setup
 
@@ -42,7 +42,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
@@ -63,7 +63,8 @@ event.category:process and host.os.type:windows and
     "0x4e,0x54,0x20,0x4c,0x4d" or
     "0x53,0x4d,0x42,0x20,0x32" or
     "0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38"
-  )
+  ) and
+  not file.directory : "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads"
 '''
 
 

rules/windows/defense_evasion_posh_encryption.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/01/23"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/17"
 
 [rule]
 author = ["Elastic"]
@@ -81,7 +81,12 @@ event.category:process and host.os.type:windows and
       ".CreateEncryptor" or
       ".CreateDecryptor"
     )
-  ) and not user.id : "S-1-5-18"
+  ) and
+  not user.id : "S-1-5-18" and
+  not (
+    file.name : "Bootstrap.Octopus.FunctionAppenderContext.ps1" and
+    powershell.file.script_block_text : ("function Decrypt-Variables" or "github.com/OctopusDeploy")
+  )
 '''
 
 

rules/windows/defense_evasion_posh_process_injection.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/10/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/17"
 
 [rule]
 author = ["Elastic"]
@@ -60,7 +60,7 @@ references = [
     "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1",
     "https://www.elastic.co/security-labs/detect-credential-access",
 ]
-risk_score = 47
+risk_score = 73
 rule_id = "2e29e96a-b67c-455a-afe4-de6183431d0d"
 setup = """## Setup
 
@@ -80,7 +80,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
@@ -101,8 +101,10 @@ event.category:process and host.os.type:windows and
    (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or
       SuspendThread or ResumeThread or GetDelegateForFunctionPointer)
   ) and not 
-  (user.id:("S-1-5-18" or "S-1-5-19") and
-   file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM")
+  file.directory: (
+    "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM" or
+    "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads"
+  )
 '''
 
 

rules/windows/execution_posh_hacktool_authors.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/05/08"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/17"
 
 [rule]
 author = ["Elastic"]
@@ -73,9 +73,9 @@ host.os.type:windows and event.category:process and
       "itm4n" or "nurfed1" or
       "cfalta" or "Scott Sutherland" or
       "_nullbind" or "_tmenochet" or
-      "Boe Prox" or "jaredcatkinson" or
-      "ChrisTruncer" or "monoxgas" or
-      "TheRealWover" or "splinter_code"
+      "jaredcatkinson" or "ChrisTruncer" or
+      "monoxgas" or "TheRealWover" or
+      "splinter_code"
   )
 '''
 

rules/windows/privilege_escalation_posh_token_impersonation.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/08/17"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/17"
 
 [transform]
 [[transform.osquery]]
@@ -168,6 +168,10 @@ event.category:process and host.os.type:windows and
   ) and
   not powershell.file.script_block_text : (
     "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
+  ) and
+  not (
+    powershell.file.script_block_text : "New-HPPrivateToastNotificationLogo" and
+    file.path : "C:\Program Files\HPConnect\hp-cmsl-wl\modules\HP.Notifications\HP.Notifications.psm1"
   )
 '''