Potential PowerShell Obfuscated Script
Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI).
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/07/03"
3integration = ["windows"]
4maturity = "production"
5updated_date = "2024/07/03"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation
11techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI).
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-windows.powershell*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Potential PowerShell Obfuscated Script"
18references = ["https://github.com/danielbohannon/Invoke-Obfuscation"]
19risk_score = 47
20rule_id = "8025db49-c57c-4fc0-bd86-7ccd6d10a35a"
21setup = """## Setup
22
23The 'PowerShell Script Block Logging' logging policy must be enabled.
24Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)
1
2Steps to implement the logging policy via registry:
reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
1"""
2severity = "medium"
3tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs"]
4timestamp_override = "event.ingested"
5type = "query"
6
7query = '''
8event.category:process and host.os.type:windows and
9 powershell.file.script_block_text : (
10 "[string]::join" or
11 "-Join" or
12 "[convert]::toint16" or
13 "[char][int]$_" or
14 ("ConvertTo-SecureString" and "PtrToStringAuto") or
15 ".GetNetworkCredential().password" or
16 "-BXor" or
17 ("replace" and "char") or
18 "[array]::reverse"
19 ) and
20 powershell.file.script_block_text : (
21 ("$pSHoMe[" and "+$pSHoMe[") or
22 ("$ShellId[" and "+$ShellId[") or
23 ("$env:ComSpec[4" and "25]-Join") or
24 (("Set-Variable" or "SV" or "Set-Item") and "OFS") or
25 ("*MDR*" and "Name[3,11,2]") or
26 ("$VerbosePreference" and "[1,3]+'X'-Join''") or
27 ("rahc" or "ekovin" or "gnirts" or "ecnereferpesobrev" or "ecalper" or "cepsmoc" or "dillehs")
28 )
29'''
30
31[[rule.threat]]
32framework = "MITRE ATT&CK"
33[[rule.threat.technique]]
34id = "T1027"
35name = "Obfuscated Files or Information"
36reference = "https://attack.mitre.org/techniques/T1027/"
37
38[[rule.threat.technique]]
39id = "T1140"
40name = "Deobfuscate/Decode Files or Information"
41reference = "https://attack.mitre.org/techniques/T1140/"
42
43
44[rule.threat.tactic]
45id = "TA0005"
46name = "Defense Evasion"
47reference = "https://attack.mitre.org/tactics/TA0005/"
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1059"
54name = "Command and Scripting Interpreter"
55reference = "https://attack.mitre.org/techniques/T1059/"
56[[rule.threat.technique.subtechnique]]
57id = "T1059.001"
58name = "PowerShell"
59reference = "https://attack.mitre.org/techniques/T1059/001/"
60
61
62
63[rule.threat.tactic]
64id = "TA0002"
65name = "Execution"
66reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Potential Antimalware Scan Interface Bypass via PowerShell
- Suspicious Portable Executable Encoded in Powershell Script
- Potential Masquerading as Communication Apps
- Delayed Execution via Ping
- Expired or Revoked Driver Loaded