detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard
verified publisher icon elastic

[Rule Tuning] Potential Antimalware Scan Interface Bypass via PowerShell

Open drummbelbummel opened this issue 7 months ago • 3 comments

Link to Rule

https://github.com/elastic/detection-rules/blob/bfca0ea4142cb29321ddfc30412963db4e599333/rules/windows/defense_evasion_amsi_bypass_powershell.toml#L135C7-L135C40

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

on intune managed devices it seems to be "normal" that microsoft is creating script files. As there's no path info it is not possible to create an rule exception. Any idea on how this can be improved?

Example Data

example.json

drummbelbummel avatar May 29 '25 05:05 drummbelbummel

thank you @drummbelbummel for submitting the sample FP, after verification it appears like you are using an old version of the rule that we previously tuned, can you compare the query of the rule in your stack with the recent one in our repository ?

the old version had this condition System.Management.Automation.AmsiUtils unquoted, which match on any keyword system, the current version had "System.Management.Automation.AmsiUtils" (double-quoted) and it won't match on it:

Image

Image

Make sure you update the rules from the SIEM>Rules management dashboard.

Samirbous avatar May 29 '25 08:05 Samirbous

Hello @Samirbous. I checked the rule and it is

Created by: elastic on Mar 25, 2023 @ 10:13:42.099 Updated by: guenter on May 14, 2025 @ 07:05:57.155

As far as i understand the rule came with the "Windows" Integration. Mine is Version 3.0.0.

There's no update available on kali linux?

Guess it is the old rule but i wonder why it is not updated via the Integration?

drummbelbummel avatar May 30 '25 05:05 drummbelbummel

@shashank-elastic any ideas on this update issue ?

Samirbous avatar May 30 '25 10:05 Samirbous

@Samirbous, @shashank-elastic,

i was able to fix the rule update problem. This rule was not automatically updated - i had to do this manually via the "rules" section. No i have the "fixed" rule in charge and i will check if the issue is fixed.

Thx for supporting me.

drummbelbummel avatar Jun 02 '25 07:06 drummbelbummel

@drummbelbummel Great, let me know if you don't see the same FPs, so we can close this issue.

Samirbous avatar Jun 02 '25 09:06 Samirbous

@Samirbous as promised and good news. After updating the rules this alert is gone. And much more - instead of hundreds alerts per day there's only about 10. I can not really believe this and will check the system. My failure - for others to maybe learn - i was not aware of "updating rules". I thought they were updated with the integrations or automatically. Now i know what to take care of. Thanks a lot to all supporting this case. GOOD JOB!

drummbelbummel avatar Jun 04 '25 15:06 drummbelbummel