Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion

 1[metadata]
 2creation_date = "2025/04/16"
 3integration = ["windows"]
 4maturity = "production"
 5updated_date = "2025/07/16"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies PowerShell scripts that use backtick-escaped characters inside ${} variable expansion as a form of
11obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware
12Scan Interface (AMSI).
13"""
14from = "now-9m"
15language = "esql"
16license = "Elastic License v2"
17name = "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion"
18note = """ ## Triage and analysis
19
20> **Disclaimer**:
21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
22
23### Investigating Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion
24
25PowerShell, a powerful scripting language in Windows environments, can be exploited by adversaries using obfuscation techniques like backtick-escaped variable expansion to evade detection. This method involves disguising malicious scripts to bypass security measures. The detection rule identifies scripts with excessive length and specific obfuscation patterns, flagging potential threats for further analysis.
26
27### Possible investigation steps
28
29- Review the `powershell.file.script_block_text` field to understand the content of the script and identify any suspicious or malicious commands.
30- Examine the `file.path` and `file.name` fields to determine the origin and context of the script execution, which may provide insights into whether the script is part of a legitimate process or potentially malicious activity.
31- Check the `host.name` and `agent.id` fields to identify the affected system and correlate with other security events or logs from the same host for additional context.
32- Analyze the `user.id` field to determine which user account executed the script, and assess whether this activity aligns with the user's typical behavior or role.
33- Investigate the `powershell.file.script_block_id` and `powershell.sequence` fields to trace the execution flow of the script and identify any related script blocks that may have been executed in sequence.
34- Consider the `count` field to evaluate the extent of obfuscation used in the script, which may indicate the level of sophistication or intent behind the script.
35
36### False positive analysis
37
38- Scripts with legitimate administrative functions may use backtick-escaped variable expansion for complex string manipulations. Review the script's context and purpose to determine if it aligns with expected administrative tasks.
39- Automated scripts generated by trusted software might include obfuscation patterns as part of their normal operation. Verify the source and integrity of the software to ensure it is from a reputable vendor.
40- Developers and IT professionals may use obfuscation techniques during testing or development phases. Establish a process to whitelist known development environments or user accounts to reduce unnecessary alerts.
41- PowerShell scripts that are part of legitimate security tools or monitoring solutions may trigger the rule. Identify and exclude these tools by their file path or script block ID to prevent false positives.
42- Regularly update the list of known false positives based on historical data and feedback from users to refine the detection rule and improve its accuracy.
43
44### Response and remediation
45
46- Isolate the affected host immediately to prevent further spread of the potentially malicious script across the network.
47- Terminate any suspicious PowerShell processes identified by the alert to halt the execution of obfuscated scripts.
48- Conduct a thorough review of the script block text and associated file paths to identify and remove any malicious scripts or files from the system.
49- Reset credentials for any user accounts involved in the alert to mitigate the risk of compromised credentials being used for further attacks.
50- Escalate the incident to the security operations team for a deeper investigation into potential lateral movement or additional compromised systems.
51- Implement enhanced monitoring on the affected host and similar systems to detect any recurrence of obfuscation techniques or related suspicious activities.
52- Update endpoint protection and intrusion detection systems with indicators of compromise (IOCs) derived from the analysis to improve detection capabilities for similar threats in the future.
53"""
54risk_score = 21
55rule_id = "d43f2b43-02a1-4219-8ce9-10929a32a618"
56setup = """## Setup
57
58The 'PowerShell Script Block Logging' logging policy must be enabled.
59Steps to implement the logging policy with Advanced Audit Configuration:

1
2Steps to implement the logging policy via registry:

 1"""
 2severity = "low"
 3tags = [
 4    "Domain: Endpoint",
 5    "OS: Windows",
 6    "Use Case: Threat Detection",
 7    "Tactic: Defense Evasion",
 8    "Data Source: PowerShell Logs",
 9    "Resources: Investigation Guide",
10]
11timestamp_override = "event.ingested"
12type = "esql"
13
14query = '''
15from logs-windows.powershell_operational* metadata _id, _version, _index
16| where event.code == "4104"
17
18// Filter out smaller scripts that are unlikely to implement obfuscation using the patterns we are looking for
19| eval Esql.script_block_length = length(powershell.file.script_block_text)
20| where Esql.script_block_length > 500
21
22// replace the patterns we are looking for with the 🔥 emoji to enable counting them
23// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1
24| eval Esql.script_block_tmp = replace(powershell.file.script_block_text, """\$\{(\w++`){2,}\w++\}""", "🔥")
25
26// count how many patterns were detected by calculating the number of 🔥 characters inserted
27| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, "🔥", ""))
28
29// keep the fields relevant to the query, although this is not needed as the alert is populated using _id
30| keep
31    Esql.script_block_pattern_count,
32    Esql.script_block_length,
33    Esql.script_block_tmp,
34    powershell.file.script_block_text,
35    powershell.file.script_block_id,
36    file.path,
37    file.name,
38    powershell.sequence,
39    powershell.total,
40    _id,
41    _index,
42    host.name,
43    agent.id,
44    user.id
45
46// Filter for scripts that match the pattern at least once
47| where Esql.script_block_pattern_count >= 1
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1027"
55name = "Obfuscated Files or Information"
56reference = "https://attack.mitre.org/techniques/T1027/"
57
58[[rule.threat.technique]]
59id = "T1140"
60name = "Deobfuscate/Decode Files or Information"
61reference = "https://attack.mitre.org/techniques/T1140/"
62
63
64[rule.threat.tactic]
65id = "TA0005"
66name = "Defense Evasion"
67reference = "https://attack.mitre.org/tactics/TA0005/"
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1059"
72name = "Command and Scripting Interpreter"
73reference = "https://attack.mitre.org/techniques/T1059/"
74[[rule.threat.technique.subtechnique]]
75id = "T1059.001"
76name = "PowerShell"
77reference = "https://attack.mitre.org/techniques/T1059/001/"
78
79
80
81[rule.threat.tactic]
82id = "TA0002"
83name = "Execution"
84reference = "https://attack.mitre.org/tactics/TA0002/"