Skip to main content
Solved

Chronicle Rule

  • November 29, 2023
  • 3 replies
  • 10 views
sek
Forum|alt.badge.img+1

Hi,

 i wrote a Rule, but working the Exclusion "WindowsBackup" not.

Can you help me?

Regards

 

rule Powershell {

meta:
    author = "..."
    description = "Powershell Execution Policy Bypass Attack"
     severity = "High"

events:
    $shell.metadata.log_type = "POWERSHELL" nocase
    $shell.metadata.event_type = "PROCESS_LAUNCH"
    $shell.target.process.command_line != /WindowsBackup/ nocase and
   
   re.regex ($shell.target.process.command_line, /-ep bypass/) nocase or
    re.regex ($shell.target.process.command_line , /-nop/) nocase or
    re.regex ($shell.target.process.command_line , /-executionpolicy bypass/) nocase or
    re.regex ($shell.target.process.command_line , /-executionpolicy/) nocase
                     
 condition:
    $shell
}

Best answer by herrald

I would try grouping the four re.regex lines with parentheses like this:

 

rule Powershell {

meta:
    author = "..."
    description = "Powershell Execution Policy Bypass Attack"
    severity = "High"

events:
    $shell.metadata.log_type = "POWERSHELL" nocase
    $shell.metadata.event_type = "PROCESS_LAUNCH"
    $shell.target.process.command_line != /WindowsBackup/ nocase and
 
    (
    re.regex ($shell.target.process.command_line, /-ep bypass/) nocase or
    re.regex ($shell.target.process.command_line , /-nop/) nocase or
    re.regex ($shell.target.process.command_line , /-executionpolicy bypass/) nocase or
    re.regex ($shell.target.process.command_line , /-executionpolicy/) nocase
    )
 
condition:
    $shell
}

 

3 replies

H
Forum|alt.badge.img+5
  • herraldBronze 3
  • Bronze 3
  • Answer
  • November 29, 2023

I would try grouping the four re.regex lines with parentheses like this:

 

rule Powershell {

meta:
    author = "..."
    description = "Powershell Execution Policy Bypass Attack"
    severity = "High"

events:
    $shell.metadata.log_type = "POWERSHELL" nocase
    $shell.metadata.event_type = "PROCESS_LAUNCH"
    $shell.target.process.command_line != /WindowsBackup/ nocase and
 
    (
    re.regex ($shell.target.process.command_line, /-ep bypass/) nocase or
    re.regex ($shell.target.process.command_line , /-nop/) nocase or
    re.regex ($shell.target.process.command_line , /-executionpolicy bypass/) nocase or
    re.regex ($shell.target.process.command_line , /-executionpolicy/) nocase
    )
 
condition:
    $shell
}

 

sek
sek
Forum|alt.badge.img+1
  • sekBronze 3
  • Author
  • Bronze 3
  • November 29, 2023

Working, Thank you 

H
M
Forum|alt.badge.img+4
  • MustacheBronze 3
  • Bronze 3
  • November 29, 2023

As another suggestion, you could also leverage a reference list https://cloud.google.com/chronicle/docs/reference/reference-lists

With that, you could make a `not` line for anything in the reference list such as: 

 

rule Powershell {

meta:
    author = "..."
    description = "Powershell Execution Policy Bypass Attack"
    severity = "High"

events:
    $shell.metadata.log_type = "POWERSHELL" nocase
    $shell.metadata.event_type = "PROCESS_LAUNCH"
//Exclusion List    
    not ($shell.target.process.command_line in regex %powershell_not  )
 
condition:
    $shell
}
 
stefancoook1
sek
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.