Potential PowerShell Obfuscated Script

calendar Oct 28, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Data Source: PowerShell Logs  ·
Share on: linkedin copy

Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI).

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/07/03"
 3integration = ["windows"]
 4maturity = "production"
 5updated_date = "2024/10/28"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation
13techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI).
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.powershell*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Potential PowerShell Obfuscated Script"
20references = ["https://github.com/danielbohannon/Invoke-Obfuscation"]
21risk_score = 47
22rule_id = "8025db49-c57c-4fc0-bd86-7ccd6d10a35a"
23setup = """## Setup
24
25The 'PowerShell Script Block Logging' logging policy must be enabled.
26Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)

1
2Steps to implement the logging policy via registry:

reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1

 1"""
 2severity = "medium"
 3tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs"]
 4timestamp_override = "event.ingested"
 5type = "query"
 6
 7query = '''
 8event.category:process and host.os.type:windows and
 9  powershell.file.script_block_text : (
10    "[string]::join" or
11    "-Join" or
12    "[convert]::toint16" or
13    "[char][int]$_" or
14    ("ConvertTo-SecureString" and "PtrToStringAuto") or
15    ".GetNetworkCredential().password" or
16    "-BXor" or
17    ("replace" and "char") or
18    "[array]::reverse"
19  ) and
20  powershell.file.script_block_text : (
21    ("$pSHoMe[" and "+$pSHoMe[") or
22    ("$ShellId[" and "+$ShellId[") or
23    ("$env:ComSpec[4" and "25]-Join") or
24    (("Set-Variable" or "SV" or "Set-Item") and "OFS") or
25    ("*MDR*" and "Name[3,11,2]") or
26    ("$VerbosePreference" and "[1,3]+'X'-Join''") or
27    ("rahc" or "ekovin" or "gnirts" or "ecnereferpesobrev" or "ecalper" or "cepsmoc" or "dillehs")
28  )
29'''
30
31[[rule.threat]]
32framework = "MITRE ATT&CK"
33[[rule.threat.technique]]
34id = "T1027"
35name = "Obfuscated Files or Information"
36reference = "https://attack.mitre.org/techniques/T1027/"
37
38[[rule.threat.technique]]
39id = "T1140"
40name = "Deobfuscate/Decode Files or Information"
41reference = "https://attack.mitre.org/techniques/T1140/"
42
43
44[rule.threat.tactic]
45id = "TA0005"
46name = "Defense Evasion"
47reference = "https://attack.mitre.org/tactics/TA0005/"
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1059"
54name = "Command and Scripting Interpreter"
55reference = "https://attack.mitre.org/techniques/T1059/"
56[[rule.threat.technique.subtechnique]]
57id = "T1059.001"
58name = "PowerShell"
59reference = "https://attack.mitre.org/techniques/T1059/001/"
60
61
62
63[rule.threat.tactic]
64id = "TA0002"
65name = "Execution"
66reference = "https://attack.mitre.org/tactics/TA0002/"

References

Related rules

to-top