From 43652110feaeac6bea1235ce675eef4111c12fa7 Mon Sep 17 00:00:00 2001 From: rvald26 <37116247+rvald26@users.noreply.github.com> Date: Wed, 1 Jul 2026 16:25:59 -0400 Subject: [PATCH] fix(rules/windows): exclude benign AMSI 'sentinel' harness from PowerShell rule The 'Suspicious PowerShell (Encoded / Download Cradle / AMSI Bypass)' rule (4104 script block) fired on every PowerShell session: the injected defensive PSBreakpoint/AMSI 'sentinel' instrumentation harness contains the literal token 'AmsiInitFailed', which matches the first regex branch. With groupBy:[dataSource] this collapsed into a single alert with thousands of echoes. Add a per-script-block exclusion for the harness's unique markers (sentinelbreakpoints, \windows\sentinel\, Po_wer_Spl_oit_Indicators). All attack tokens are preserved; a real payload run through the harness is a separate 4104 event that still fires. Co-Authored-By: Claude Opus 4.8 (1M context) --- rules/windows/suspicious_powershell_obfuscation.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/suspicious_powershell_obfuscation.yml b/rules/windows/suspicious_powershell_obfuscation.yml index 410374c7e..764b9d0b8 100644 --- a/rules/windows/suspicious_powershell_obfuscation.yml +++ b/rules/windows/suspicious_powershell_obfuscation.yml @@ -1,4 +1,4 @@ -# Rule version v1.2.0 (validated 2026-06-24) +# Rule version v1.3.0 (validated 2026-07-01) dataTypes: - wineventlog name: 'Windows: Suspicious PowerShell (Encoded / Download Cradle / AMSI Bypass)' @@ -9,11 +9,11 @@ impact: category: Execution technique: 'T1059.001 - Command and Scripting Interpreter: PowerShell' adversary: origin -description: 'Detects high-risk PowerShell script-block content: download cradles, encoded/hidden execution, reflective loading and AMSI bypass markers. Matches the 4104 script-block text (not the -EncodedCommand flag, to avoid benign false positives).' +description: 'Detects high-risk PowerShell script-block content: download cradles, encoded/hidden execution, reflective loading and AMSI bypass markers. Matches the 4104 script-block text (not the -EncodedCommand flag, to avoid benign false positives). v1.3.0: excludes the benign injected PSBreakpoint/AMSI "sentinel" instrumentation harness (markers: sentinelbreakpoints, \windows\sentinel\, Po_wer_Spl_oit_Indicators) that otherwise false-positives on the literal "AmsiInitFailed" token it emits on every PowerShell session. The exclusion is per-script-block, so a real payload executed through the harness is a separate 4104 event and still fires.' references: - https://attack.mitre.org/techniques/T1059/001/ where: | - equals("log.eventCode", "4104") && (regexMatch("log.eventDataScriptBlockText", "(?i)(amsiutils|amsiinitfailed|amsiscanbuffer|virtualalloc|writeprocessmemory|getdelegateforfunctionpointer|invoke-mimikatz|invoke-shellcode|invoke-dllinjection|createremotethread)") || (regexMatch("log.eventDataScriptBlockText", "(?i)(downloadstring|downloadfile|downloaddata|invoke-webrequest|net.webclient|start-bitstransfer)") && regexMatch("log.eventDataScriptBlockText", "(?i)(iex|invoke-expression|-enc |-encodedcommand|-w hidden|-windowstyle hidden|frombase64string)"))) + equals("log.eventCode", "4104") && !regexMatch("log.eventDataScriptBlockText", "(?i)(sentinelbreakpoints|windows.sentinel.[0-9]|po_wer_spl_oit_indicators)") && (regexMatch("log.eventDataScriptBlockText", "(?i)(amsiutils|amsiinitfailed|amsiscanbuffer|virtualalloc|writeprocessmemory|getdelegateforfunctionpointer|invoke-mimikatz|invoke-shellcode|invoke-dllinjection|createremotethread)") || (regexMatch("log.eventDataScriptBlockText", "(?i)(downloadstring|downloadfile|downloaddata|invoke-webrequest|net.webclient|start-bitstransfer)") && regexMatch("log.eventDataScriptBlockText", "(?i)(iex|invoke-expression|-enc |-encodedcommand|-w hidden|-windowstyle hidden|frombase64string)"))) groupBy: - dataSource deduplicateBy: []