[Rule Tuning] Posh BBRs (#4372)

(cherry picked from commit 74f11db)
elastic · Jan 21, 2025 · 32350b9 · 32350b9
1 parent fcc61cd
commit 32350b9
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 7 deletions.
diff --git a/rules_building_block/defense_evasion_posh_defender_tampering.toml b/rules_building_block/defense_evasion_posh_defender_tampering.toml
@@ -3,7 +3,7 @@ bypass_bbr_timing = true
 creation_date = "2024/09/11"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2024/10/28"
+updated_date = "2025/01/13"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -58,7 +58,12 @@ event.category: "process" and host.os.type:windows and
     DisableRealtimeMonitoring or LowThreatDefaultAction or
     ModerateThreatDefaultAction or HighThreatDefaultAction
   )
-)
+) and
+not powershell.file.script_block_text : (
+  ("cmdletization" and "cdxml-Help.xml") or
+  ("function Set-MpPreference" and "Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.SubmitSamplesConsentType")
+) and
+not file.directory : "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM"
 '''
 
 

diff --git a/rules_building_block/discovery_posh_generic.toml b/rules_building_block/discovery_posh_generic.toml
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 min_stack_version = "8.14.0"
-updated_date = "2024/10/28"
+updated_date = "2025/01/13"
 
 
 [rule]
@@ -63,7 +63,7 @@ event.category:process and host.os.type:windows and
       ("Get-WmiObject" or "gwmi" or "Get-CimInstance" or
        "gcim" or "Management.ManagementObjectSearcher" or
        "System.Management.ManagementClass" or
-       "[WmiClass]" or "[WMI]") and
+       "[WmiClass]") and
       (
         "AntiVirusProduct" or "CIM_BIOSElement" or "CIM_ComputerSystem" or "CIM_Product" or "CIM_DiskDrive" or
         "CIM_LogicalDisk" or "CIM_NetworkAdapter" or "CIM_StorageVolume" or "CIM_OperatingSystem" or
@@ -136,7 +136,8 @@ event.category:process and host.os.type:windows and
       "Microsoft.PowerShell.Core\Export-ModuleMember" and
       "Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter"
     ) or
-    "CmdletsToExport=@(\"Add-Content\","
+    "CmdletsToExport=@(\"Add-Content\"," or
+    ("cmdletization" and "cdxml-Help.xml")
   ) and
   not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20")
 '''

diff --git a/rules_building_block/lateral_movement_posh_winrm_activity.toml b/rules_building_block/lateral_movement_posh_winrm_activity.toml
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 min_stack_version = "8.14.0"
-updated_date = "2024/10/28"
+updated_date = "2025/01/13"
 
 [rule]
 author = ["Elastic"]
@@ -57,7 +57,9 @@ event.category:process and host.os.type:windows and
   ) and
   not user.id : "S-1-5-18" and
   not file.directory : (
-    "C:\\Program Files\\LogicMonitor\\Agent\\tmp"
+    "C:\\Program Files\\LogicMonitor\\Agent\\tmp" or
+    "C:\\Program Files\\WindowsPowerShell\\Modules\\icinga-powershell-framework\\cache" or
+    "C:\\Program Files\\WindowsPowerShell\\Modules\\SmartCardTools\\1.2.2"
   ) and not
   powershell.file.script_block_text : (
     "Export-ModuleMember -Function @('Invoke-Expression''Invoke-Command')" and