Potential PowerShell Obfuscated Script
Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI).
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/07/03"
3integration = ["windows"]
4maturity = "production"
5updated_date = "2024/07/03"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation
11techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI).
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-windows.powershell*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Potential PowerShell Obfuscated Script"
18references = ["https://github.com/danielbohannon/Invoke-Obfuscation"]
19risk_score = 47
20rule_id = "8025db49-c57c-4fc0-bd86-7ccd6d10a35a"
21setup = """## Setup
22
23The 'PowerShell Script Block Logging' logging policy must be enabled.
24Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)
1
2Steps to implement the logging policy via registry:
reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
1"""
2severity = "medium"
3tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs"]
4timestamp_override = "event.ingested"
5type = "query"
6
7query = '''
8event.category:process and host.os.type:windows and
9 powershell.file.script_block_text : (
10 "[string]::join" or
11 "-Join" or
12 "[convert]::toint16" or
13 "[char][int]$_" or
14 ("ConvertTo-SecureString" and "PtrToStringAuto") or
15 ".GetNetworkCredential().password" or
16 "-BXor" or
17 ("replace" and "char") or
18 "[array]::reverse"
19 ) and
20 powershell.file.script_block_text : (
21 ("$pSHoMe[" and "+$pSHoMe[") or
22 ("$ShellId[" and "+$ShellId[") or
23 ("$env:ComSpec[4" and "25]-Join") or
24 (("Set-Variable" or "SV" or "Set-Item") and "OFS") or
25 ("*MDR*" and "Name[3,11,2]") or
26 ("$VerbosePreference" and "[1,3]+'X'-Join''") or
27 ("rahc" or "ekovin" or "gnirts" or "ecnereferpesobrev" or "ecalper" or "cepsmoc" or "dillehs")
28 )
29'''
30
31[[rule.threat]]
32framework = "MITRE ATT&CK"
33[[rule.threat.technique]]
34id = "T1027"
35name = "Obfuscated Files or Information"
36reference = "https://attack.mitre.org/techniques/T1027/"
37
38[[rule.threat.technique]]
39id = "T1140"
40name = "Deobfuscate/Decode Files or Information"
41reference = "https://attack.mitre.org/techniques/T1140/"
42
43
44[rule.threat.tactic]
45id = "TA0005"
46name = "Defense Evasion"
47reference = "https://attack.mitre.org/tactics/TA0005/"
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1059"
54name = "Command and Scripting Interpreter"
55reference = "https://attack.mitre.org/techniques/T1059/"
56[[rule.threat.technique.subtechnique]]
57id = "T1059.001"
58name = "PowerShell"
59reference = "https://attack.mitre.org/techniques/T1059/001/"
60
61
62
63[rule.threat.tactic]
64id = "TA0002"
65name = "Execution"
66reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
PowerShell Obfuscator. Contribute to danielbohannon/Invoke-Obfuscation development by creating an account on GitHub.
Read More
Related rules
- Potential Antimalware Scan Interface Bypass via PowerShell
- Suspicious Portable Executable Encoded in Powershell Script
- Unusual File Creation - Alternate Data Stream
- Executable File Creation with Multiple Extensions
- Port Forwarding Rule Addition