I recently enabled a number of the provided rules in our test Elasticsearch/Kibana/Winlogbeat configuration and am seeing alerts on the "PowerShell Keylogging Script" rule every time I run nearly any powershell command on any of the Windows boxes I manage. That rule has the following detection:
event.category:process and
(
powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or Get-Keystrokes) or
powershell.file.script_block_text : ((SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and (GetForegroundWindow or GetWindowTextA or GetWindowTextW or WM_KEYBOARD_LL))
)
Through process of elimination, I was able to narrow down the string triggering the rule to "Get-Keystrokes". i.e if I create a custom rule that's a copy of the one above, and remove "Get-Keystrokes", the rule stops triggering. I can search in the discover interface and see that indeed I have results from that search.
My confusion is that none of the text in the message or script_block_text contains that string and none of the Powershell I'm running does either. When I search in discover for the string, I can't find the string in any of the result json either.
Here's an example of powershell that triggers it:
Get-PSRepository | Where-Object { $_.Name -eq "PSGallery" -and $_.InstallationPolicy -ne "Trusted" }
My question is essentially, what is causing the rule to fire and how can I verify the alert is a false positive, or not.