Commit 53ab8bd
fix(rules/windows): exclude benign AMSI 'sentinel' harness from PowerShell rule (#2311)
The 'Suspicious PowerShell (Encoded / Download Cradle / AMSI Bypass)' rule (4104
script block) fired on every PowerShell session: the injected defensive
PSBreakpoint/AMSI 'sentinel' instrumentation harness contains the literal token
'AmsiInitFailed', which matches the first regex branch. With groupBy:[dataSource]
this collapsed into a single alert with thousands of echoes.
Add a per-script-block exclusion for the harness's unique markers
(sentinelbreakpoints, \windows\sentinel\, Po_wer_Spl_oit_Indicators). All
attack tokens are preserved; a real payload run through the harness is a separate
4104 event that still fires.
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent 4ef4b55 commit 53ab8bd
1 file changed
Lines changed: 3 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | | - | |
| 1 | + | |
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
| |||
9 | 9 | | |
10 | 10 | | |
11 | 11 | | |
12 | | - | |
| 12 | + | |
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
16 | | - | |
| 16 | + | |
17 | 17 | | |
18 | 18 | | |
19 | 19 | | |
0 commit comments