Potential PowerShell Obfuscated Script

 1[metadata]
 2creation_date = "2024/07/03"
 3integration = ["windows"]
 4maturity = "production"
 5updated_date = "2025/01/22"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation
13techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI).
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.powershell*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Potential PowerShell Obfuscated Script"
20references = ["https://github.com/danielbohannon/Invoke-Obfuscation"]
21risk_score = 47
22rule_id = "8025db49-c57c-4fc0-bd86-7ccd6d10a35a"
23setup = """## Setup
24
25The 'PowerShell Script Block Logging' logging policy must be enabled.
26Steps to implement the logging policy with Advanced Audit Configuration:

1
2Steps to implement the logging policy via registry:

  1"""
  2severity = "medium"
  3tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"]
  4timestamp_override = "event.ingested"
  5type = "query"
  6
  7query = '''
  8event.category:process and host.os.type:windows and
  9  powershell.file.script_block_text : (
 10    "[string]::join" or
 11    "-Join" or
 12    "[convert]::toint16" or
 13    "[char][int]$_" or
 14    ("ConvertTo-SecureString" and "PtrToStringAuto") or
 15    ".GetNetworkCredential().password" or
 16    "-BXor" or
 17    ("replace" and "char") or
 18    "[array]::reverse" or
 19    "-replace"
 20  ) and
 21  powershell.file.script_block_text : (
 22    ("$pSHoMe[" and "+$pSHoMe[") or
 23    ("$ShellId[" and "+$ShellId[") or
 24    ("$env:ComSpec[4" and "25]-Join") or
 25    (("Set-Variable" or "SV" or "Set-Item") and "OFS") or
 26    ("*MDR*" and "Name[3,11,2]") or
 27    ("$VerbosePreference" and "[1,3]+'X'-Join''") or
 28    ("rahc" or "ekovin" or "gnirts" or "ecnereferpesobrev" or "ecalper" or "cepsmoc" or "dillehs") or
 29    ("System.Management.Automation.$([cHAr]" or "System.$([cHAr]" or ")+[cHAR]([byte]")
 30  )
 31'''
 32note = """## Triage and analysis
 33
 34> **Disclaimer**:
 35> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 36
 37### Investigating Potential PowerShell Obfuscated Script
 38
 39PowerShell is a powerful scripting language used for task automation and configuration management in Windows environments. Adversaries exploit its flexibility to obfuscate scripts, evading security measures like AMSI. The detection rule identifies obfuscation patterns, such as string manipulation and encoding techniques, to flag potentially malicious scripts, aiding in defense evasion detection.
 40
 41### Possible investigation steps
 42
 43- Review the PowerShell script block text captured in the alert to identify any suspicious patterns or obfuscation techniques, such as string manipulation or encoding methods like "[string]::join" or "-Join".
 44- Check the process execution details, including the parent process and command line arguments, to understand the context in which the PowerShell script was executed.
 45- Investigate the source and destination of the script execution by examining the host and user details to determine if the activity aligns with expected behavior or if it originates from an unusual or unauthorized source.
 46- Analyze any network connections or file modifications associated with the PowerShell process to identify potential data exfiltration or lateral movement activities.
 47- Correlate the alert with other security events or logs, such as Windows Event Logs or network traffic logs, to gather additional context and identify any related suspicious activities.
 48- Assess the risk and impact of the detected activity by considering the severity and risk score provided in the alert, and determine if immediate remediation actions are necessary.
 49
 50### False positive analysis
 51
 52- Legitimate administrative scripts may use string manipulation and encoding techniques for benign purposes, such as data processing or configuration management. Review the context of the script execution and verify the source and intent before flagging it as malicious.
 53- Scripts that automate complex tasks might use obfuscation-like patterns to handle data securely or efficiently. Consider whitelisting known scripts or trusted sources to reduce false positives.
 54- Development and testing environments often run scripts with obfuscation patterns for testing purposes. Exclude these environments from the rule or create exceptions for specific users or groups involved in development.
 55- Security tools and monitoring solutions might generate PowerShell scripts with obfuscation patterns as part of their normal operation. Identify these tools and exclude their activities from triggering the rule.
 56- Regularly update the list of exceptions and whitelisted scripts to ensure that new legitimate scripts are not mistakenly flagged as threats.
 57
 58### Response and remediation
 59
 60- Isolate the affected system from the network to prevent further spread of potentially malicious scripts.
 61- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing malicious activity.
 62- Conduct a thorough review of the PowerShell script block logs to identify and remove any obfuscated scripts or malicious code remnants.
 63- Restore the system from a known good backup if malicious activity is confirmed and system integrity is compromised.
 64- Update and patch the affected system to ensure all security vulnerabilities are addressed, reducing the risk of exploitation.
 65- Monitor the system and network for any signs of re-infection or similar obfuscation patterns to ensure the threat has been fully mitigated.
 66- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected."""
 67
 68[[rule.threat]]
 69framework = "MITRE ATT&CK"
 70[[rule.threat.technique]]
 71id = "T1027"
 72name = "Obfuscated Files or Information"
 73reference = "https://attack.mitre.org/techniques/T1027/"
 74
 75[[rule.threat.technique]]
 76id = "T1140"
 77name = "Deobfuscate/Decode Files or Information"
 78reference = "https://attack.mitre.org/techniques/T1140/"
 79
 80
 81[rule.threat.tactic]
 82id = "TA0005"
 83name = "Defense Evasion"
 84reference = "https://attack.mitre.org/tactics/TA0005/"
 85
 86
 87[[rule.threat]]
 88framework = "MITRE ATT&CK"
 89[[rule.threat.technique]]
 90id = "T1059"
 91name = "Command and Scripting Interpreter"
 92reference = "https://attack.mitre.org/techniques/T1059/"
 93[[rule.threat.technique.subtechnique]]
 94id = "T1059.001"
 95name = "PowerShell"
 96reference = "https://attack.mitre.org/techniques/T1059/001/"
 97
 98
 99
100[rule.threat.tactic]
101id = "TA0002"
102name = "Execution"
103reference = "https://attack.mitre.org/tactics/TA0002/"