Skip to content

Commit 53ab8bd

Browse files
rvald26claude
andauthored
fix(rules/windows): exclude benign AMSI 'sentinel' harness from PowerShell rule (#2311)
The 'Suspicious PowerShell (Encoded / Download Cradle / AMSI Bypass)' rule (4104 script block) fired on every PowerShell session: the injected defensive PSBreakpoint/AMSI 'sentinel' instrumentation harness contains the literal token 'AmsiInitFailed', which matches the first regex branch. With groupBy:[dataSource] this collapsed into a single alert with thousands of echoes. Add a per-script-block exclusion for the harness's unique markers (sentinelbreakpoints, \windows\sentinel\, Po_wer_Spl_oit_Indicators). All attack tokens are preserved; a real payload run through the harness is a separate 4104 event that still fires. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 4ef4b55 commit 53ab8bd

1 file changed

Lines changed: 3 additions & 3 deletions

File tree

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# Rule version v1.2.0 (validated 2026-06-24)
1+
# Rule version v1.3.0 (validated 2026-07-01)
22
dataTypes:
33
- wineventlog
44
name: 'Windows: Suspicious PowerShell (Encoded / Download Cradle / AMSI Bypass)'
@@ -9,11 +9,11 @@ impact:
99
category: Execution
1010
technique: 'T1059.001 - Command and Scripting Interpreter: PowerShell'
1111
adversary: origin
12-
description: 'Detects high-risk PowerShell script-block content: download cradles, encoded/hidden execution, reflective loading and AMSI bypass markers. Matches the 4104 script-block text (not the -EncodedCommand flag, to avoid benign false positives).'
12+
description: 'Detects high-risk PowerShell script-block content: download cradles, encoded/hidden execution, reflective loading and AMSI bypass markers. Matches the 4104 script-block text (not the -EncodedCommand flag, to avoid benign false positives). v1.3.0: excludes the benign injected PSBreakpoint/AMSI "sentinel" instrumentation harness (markers: sentinelbreakpoints, \windows\sentinel\, Po_wer_Spl_oit_Indicators) that otherwise false-positives on the literal "AmsiInitFailed" token it emits on every PowerShell session. The exclusion is per-script-block, so a real payload executed through the harness is a separate 4104 event and still fires.'
1313
references:
1414
- https://attack.mitre.org/techniques/T1059/001/
1515
where: |
16-
equals("log.eventCode", "4104") && (regexMatch("log.eventDataScriptBlockText", "(?i)(amsiutils|amsiinitfailed|amsiscanbuffer|virtualalloc|writeprocessmemory|getdelegateforfunctionpointer|invoke-mimikatz|invoke-shellcode|invoke-dllinjection|createremotethread)") || (regexMatch("log.eventDataScriptBlockText", "(?i)(downloadstring|downloadfile|downloaddata|invoke-webrequest|net.webclient|start-bitstransfer)") && regexMatch("log.eventDataScriptBlockText", "(?i)(iex|invoke-expression|-enc |-encodedcommand|-w hidden|-windowstyle hidden|frombase64string)")))
16+
equals("log.eventCode", "4104") && !regexMatch("log.eventDataScriptBlockText", "(?i)(sentinelbreakpoints|windows.sentinel.[0-9]|po_wer_spl_oit_indicators)") && (regexMatch("log.eventDataScriptBlockText", "(?i)(amsiutils|amsiinitfailed|amsiscanbuffer|virtualalloc|writeprocessmemory|getdelegateforfunctionpointer|invoke-mimikatz|invoke-shellcode|invoke-dllinjection|createremotethread)") || (regexMatch("log.eventDataScriptBlockText", "(?i)(downloadstring|downloadfile|downloaddata|invoke-webrequest|net.webclient|start-bitstransfer)") && regexMatch("log.eventDataScriptBlockText", "(?i)(iex|invoke-expression|-enc |-encodedcommand|-w hidden|-windowstyle hidden|frombase64string)")))
1717
groupBy:
1818
- dataSource
1919
deduplicateBy: []

0 commit comments

Comments
 (0)