Windows: reduce false positives on Suspicious PowerShell (AMSI Bypass) rule#2311
Windows: reduce false positives on Suspicious PowerShell (AMSI Bypass) rule#2311rvald26 wants to merge 1 commit into
Conversation
…Shell rule The 'Suspicious PowerShell (Encoded / Download Cradle / AMSI Bypass)' rule (4104 script block) fired on every PowerShell session: the injected defensive PSBreakpoint/AMSI 'sentinel' instrumentation harness contains the literal token 'AmsiInitFailed', which matches the first regex branch. With groupBy:[dataSource] this collapsed into a single alert with thousands of echoes. Add a per-script-block exclusion for the harness's unique markers (sentinelbreakpoints, \windows\sentinel\, Po_wer_Spl_oit_Indicators). All attack tokens are preserved; a real payload run through the harness is a separate 4104 event that still fires. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
❌ Go dependencies check failedThere are outdated Go dependencies, or modules that could not be inspected. Script output |
✅ AI review — ApprovedNo issues detected in this diff. ✅
|
⛔ Permission deniedOnly members of @utmstack/administrators or @utmstack/core-developers can merge PRs into this repository. PR author: @rvald26 The comments above (deps + AI review) are still valid — if you address them, the checks will re-run automatically, but final approval is left to an administrator. @utmstack/administrators please review. |
Summary
Reduces false positives on
rules/windows/suspicious_powershell_obfuscation.yml— "Windows: Suspicious PowerShell (Encoded / Download Cradle / AMSI Bypass)" (event 4104, T1059.001). One line of detection logic changed; all attack coverage preserved.Problem
The rule fired on every PowerShell session on affected hosts. Because the rule uses
groupBy: [dataSource], the hits collapsed into a single HIGH alert that accumulated thousands of echoes — drowning out real detections.Root cause
The first regex branch matches the token
amsiinitfailed. The benign, injected defensive PSBreakpoint/AMSI "sentinel" instrumentation harness (the<#sentinelbreakpoints#>/Set-PSBreakpoint … out-file ':::::\windows\sentinel\N'canary tool) is loaded into essentially every PowerShell session and contains the literal stringAmsiInitFailed(e.g.Remove-Variable AmsiInitFailed). That single token tripped the rule on every session.Fix
Add a per-script-block exclusion for the harness's unique fingerprints, ANDed ahead of the detection logic:
<#sentinelbreakpoints#>comment tag, the\windows\sentinel\Ncanary path, the$Po_wer_Spl_oit_Indicatorsarray) are unique to this defensive harness and do not appear in real malware.Validation
iex ((New-Object Net.WebClient).DownloadString(...))), the classic AMSIamsiInitFailedSetValue bypass, Invoke-Mimikatz, a reflective shellcode loader, and IWR+IEX cradles all still match. Benign scripts (IWR download without exec, bare-encwithout a cradle) remain silent.🤖 Generated with Claude Code