Custom Rules

[bb0rges]

I am testing some custom rules but so far nothing. I've made a simple porwershell -ExecutionPolicy Bypass rules for testing proposes no alert was seen, how does the custom rule works I did everything as the documentation says I am doing something wrong or is the system not working?

`name: "PowerShell Execution with -ExecutionPolicy Bypass"
severity: "High"
description: "Detects PowerShell commands that use -ExecutionPolicy Bypass, indicating an attempt to bypass script execution restrictions."
solution: "Investigate the user and origin of this command. Verify if this is an authorized activity. Monitor for further suspicious PowerShell usage."
category: "Execution"
tactic: "Execution"
dataTypes: ["wineventlog"]
reference:

• "https://attack.mitre.org/techniques/T1059/001/"
  frequency: 60
  cache:
• allOf:
  • field: "logx.wineventlog.event_data.ScriptBlockText" # Field containing the PowerShell command
    operator: "regexp"
    value: "(powershell|pwsh)(.+)?-ExecutionPolicy\s+Bypass"
    minCount: 1
    timeLapse: 60
    save:
  • field: "logx.wineventlog.user.name"
    alias: "SourceUser"
  • field: "logx.wineventlog.host.name"
    alias: "DestinationHost"
  • field: "logx.wineventlog.host.ip"
    alias: "SourceIP"
  • field: "logx.wineventlog.event_data.ScriptBlockText" # Full command line with ExecutionPolicy Bypass
    alias: "CommandLine"`

[c3s4rfred]

Hi @bb0rges please, can you attach the file to check the identation. Anyway, you have an issue with the regexp, you need to scape the scape character '' to make it work -> (powershell|pwsh)(.+)?-ExecutionPolicy\s+Bypass

Example:
"pwsh> This is a test -ExecutionPolicy Bypass" this will match.

Best regards