[Rule Tuning] Potential Antimalware Scan Interface Bypass via PowerShell

[drummbelbummel]

Link to Rule

https://github.com/elastic/detection-rules/blob/bfca0ea4142cb29321ddfc30412963db4e599333/rules/windows/defense_evasion_amsi_bypass_powershell.toml#L135C7-L135C40

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

on intune managed devices it seems to be "normal" that microsoft is creating script files. As there's no path info it is not possible to create an rule exception. Any idea on how this can be improved?

Example Data

example.json

[Samirbous]

thank you @drummbelbummel for submitting the sample FP, after verification it appears like you are using an old version of the rule that we previously tuned, can you compare the query of the rule in your stack with the recent one in our repository ?

the old version had this condition System.Management.Automation.AmsiUtils unquoted, which match on any keyword system, the current version had "System.Management.Automation.AmsiUtils" (double-quoted) and it won't match on it:

Make sure you update the rules from the SIEM>Rules management dashboard.

[drummbelbummel]

Hello @Samirbous. I checked the rule and it is

Created by: elastic on Mar 25, 2023 @ 10:13:42.099
Updated by: guenter on May 14, 2025 @ 07:05:57.155

As far as i understand the rule came with the "Windows" Integration. Mine is Version 3.0.0.

There's no update available on kali linux?

Guess it is the old rule but i wonder why it is not updated via the Integration?

[Samirbous]

@shashank-elastic any ideas on this update issue ?

[drummbelbummel]

@Samirbous, @shashank-elastic,

i was able to fix the rule update problem. This rule was not automatically updated - i had to do this manually via the "rules" section.
No i have the "fixed" rule in charge and i will check if the issue is fixed.

Thx for supporting me.

[Samirbous]

@drummbelbummel Great, let me know if you don't see the same FPs, so we can close this issue.

[drummbelbummel]

@Samirbous as promised and good news.
After updating the rules this alert is gone. And much more - instead of hundreds alerts per day there's only about 10.
I can not really believe this and will check the system.
My failure - for others to maybe learn - i was not aware of "updating rules". I thought they were updated with the integrations or automatically.
Now i know what to take care of.
Thanks a lot to all supporting this case. GOOD JOB!