bug fix

Patrick Bareiss · Patrick Bareiss · commit ca245715d4cd · 2025-03-14T11:55:15.000+01:00
diff --git a/data_sources/powershell_script_block_logging_4104.yml b/data_sources/powershell_script_block_logging_4104.yml
@@ -70,7 +70,6 @@ output_fields:
 - signature_id 
 - user_id 
 - vendor_product 
-- EventID 
 - Guid 
 - Opcode 
 - Name 
diff --git a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml
@@ -61,9 +61,6 @@ rba:
   - field: dest
     type: system
     score: 10
-  - field: user
-    type: user
-    score: 10
   threat_objects: []
 tags:
   analytic_story:
diff --git a/detections/endpoint/windows_powershell_script_block_with_malicious_string.yml b/detections/endpoint/windows_powershell_script_block_with_malicious_string.yml
@@ -9,9 +9,8 @@ description: The following analytic detects the execution of multiple offensive
 data_source: 
 - Powershell Script Block Logging 4104
 search: |-
-  `powershell` ScriptBlockText EventCode=4104
-  | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command by dest signature 
-  signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText 
+  `powershell` ScriptBlockText=* EventCode=4104
+  | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Guid) as Guid values(Opcode) as Opcode values(Name) as Name values(Path) as Path values(ProcessID) as ProcessID values(ScriptBlockId) as ScriptBlockId values(ScriptBlockText) as ScriptBlockText by dest signature signature_id user_id vendor_product 
   | eval command = mvjoin(command,"\n")
   | lookup malicious_powershell_strings command  
   | where isnotnull(match)
@@ -34,10 +33,6 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
-- name: Investigate PowerShell on $dest$ 
-  search: '`powershell` ScriptBlockText EventCode=4104 Computer=$dest|s$ "*$match$*"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
 rba:
   message: The user $user$ ran a known malicious PowerShell string matching *$match$* on $dest$
   risk_objects:
