From a42faa6f9a963e085f777b2417c029c33a36e4b7 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Thu, 6 Nov 2025 21:15:47 +0000 Subject: [PATCH] [Tuning] Outbound Scheduled Task Activity via PowerShell https://github.com/elastic/detection-rules/issues/5286 Verified cidrmatch on destination.ip works on both integrations (endpoint and sysmon): --- rules/windows/execution_scheduled_task_powershell_source.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 11ecc5b29e3..67a11ba82f0 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/11/06" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ query = ''' sequence by host.id, process.entity_id with maxspan = 5s [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and (?dll.name : "taskschd.dll" or file.name : "taskschd.dll") and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")] - [network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")] + [network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not cidrmatch(destination.ip, "127.0.0.0/8", "::1/128")] '''