Skip to main content

Hi,

 i wrote a Rule, but working the Exclusion "WindowsBackup" not.

Can you help me?

Regards

 

rule Powershell {

meta:
    author = "..."
    description = "Powershell Execution Policy Bypass Attack"
     severity = "High"

events:
    $shell.metadata.log_type = "POWERSHELL" nocase
    $shell.metadata.event_type = "PROCESS_LAUNCH"
    $shell.target.process.command_line != /WindowsBackup/ nocase and
   
   re.regex ($shell.target.process.command_line, /-ep bypass/) nocase or
    re.regex ($shell.target.process.command_line , /-nop/) nocase or
    re.regex ($shell.target.process.command_line , /-executionpolicy bypass/) nocase or
    re.regex ($shell.target.process.command_line , /-executionpolicy/) nocase
                     
 condition:
    $shell
}

I would try grouping the four re.regex lines with parentheses like this:


 



rule Powershell {



meta:

    author = "..."

    description = "Powershell Execution Policy Bypass Attack"

    severity = "High"



events:

    $shell.metadata.log_type = "POWERSHELL" nocase

    $shell.metadata.event_type = "PROCESS_LAUNCH"

    $shell.target.process.command_line != /WindowsBackup/ nocase and

 

    (

    re.regex ($shell.target.process.command_line, /-ep bypass/) nocase or

    re.regex ($shell.target.process.command_line , /-nop/) nocase or

    re.regex ($shell.target.process.command_line , /-executionpolicy bypass/) nocase or

    re.regex ($shell.target.process.command_line , /-executionpolicy/) nocase

    )

 

condition:

    $shell

}


 

Working, Thank you 

As another suggestion, you could also leverage a reference list https://cloud.google.com/chronicle/docs/reference/reference-lists

With that, you could make a `not` line for anything in the reference list such as: 

 

rule Powershell {

meta:
    author = "..."
    description = "Powershell Execution Policy Bypass Attack"
    severity = "High"

events:
    $shell.metadata.log_type = "POWERSHELL" nocase
    $shell.metadata.event_type = "PROCESS_LAUNCH"
//Exclusion List    
    not ($shell.target.process.command_line in regex %powershell_not  )
 
condition:
    $shell
}
 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.