PowerShell Keylogging Script potential False Positive

I recently enabled a number of the provided rules in our test Elasticsearch/Kibana/Winlogbeat configuration and am seeing alerts on the "PowerShell Keylogging Script" rule every time I run nearly any powershell command on any of the Windows boxes I manage. That rule has the following detection:

event.category:process and
powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or Get-Keystrokes) or
powershell.file.script_block_text : ((SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and (GetForegroundWindow or GetWindowTextA or GetWindowTextW or WM_KEYBOARD_LL))

Through process of elimination, I was able to narrow down the string triggering the rule to "Get-Keystrokes". i.e if I create a custom rule that's a copy of the one above, and remove "Get-Keystrokes", the rule stops triggering. I can search in the discover interface and see that indeed I have results from that search.

My confusion is that none of the text in the message or script_block_text contains that string and none of the Powershell I'm running does either. When I search in discover for the string, I can't find the string in any of the result json either.

Here's an example of powershell that triggers it:

Get-PSRepository | Where-Object { $_.Name -eq "PSGallery" -and $_.InstallationPolicy -ne "Trusted" }

My question is essentially, what is causing the rule to fire and how can I verify the alert is a false positive, or not.

I am facing the same issue - that the mentioned rule (PowerShell Keylogging Script) triggers many false positives.

I suspect that the - in Get-Keystrokes means that any - in the powershell.file.script_block_text field's value would result in the rule being triggered.

This issue of having many false positives is similarly seen in the PowerShell Suspicious Script with Audio Capture Capabilities rule.

Its query is: event.category:process and powershell.file.script_block_text:(Get-MicrophoneAudio). This rule is clearer in showing that the - (in my opinion) character is the one that is triggering the rule detection, since there is only 1 value in powershell.file.script_block_text here.

May I ask how we are able to debug this?

Thank you.


Still looking for ways to debug this issue - to find out if our concerns are legitimate.

Thank you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.