Potential PowerShell Obfuscation via Character Array Reconstruction

 1[metadata]
 2creation_date = "2025/04/14"
 3integration = ["windows"]
 4maturity = "production"
 5updated_date = "2025/07/16"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies PowerShell scripts that use character arrays and runtime string reconstruction as a form of obfuscation. This
11technique breaks strings into individual characters, often using constructs like char[] with index-based access or
12joining logic. These methods are designed to evade static analysis and bypass security protections such as the
13Antimalware Scan Interface (AMSI).
14"""
15from = "now-9m"
16language = "esql"
17license = "Elastic License v2"
18name = "Potential PowerShell Obfuscation via Character Array Reconstruction"
19note = """ ## Triage and analysis
20
21> **Disclaimer**:
22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
23
24### Investigating Potential PowerShell Obfuscation via Character Array Reconstruction
25
26PowerShell, a powerful scripting language, is often targeted by adversaries for obfuscation to bypass security measures. By reconstructing strings from character arrays, attackers evade static analysis and detection. The detection rule identifies scripts using such obfuscation by searching for patterns indicative of character array manipulation, thus flagging potential threats for further investigation.
27
28### Possible investigation steps
29
30- Review the powershell.file.script_block_text field to understand the content and intent of the script, focusing on the obfuscated parts indicated by the presence of the "char" keyword and the 🔥 character.
31- Examine the file.path and host.name fields to determine the origin and location of the script execution, which can provide context about the environment and potential risk.
32- Check the user.id and agent.id fields to identify the user and agent responsible for executing the script, which can help assess whether the activity is expected or suspicious.
33- Analyze the powershell.file.script_block_id and powershell.sequence fields to trace the execution sequence and correlate it with other related script blocks, providing a broader view of the script's behavior.
34- Investigate the count field to assess the extent of obfuscation, as a higher count may indicate more complex or extensive obfuscation techniques being used.
35
36### False positive analysis
37
38- Scripts used for legitimate administrative tasks may use character arrays for performance optimization or to handle special characters. Review the script's purpose and context to determine if it aligns with known administrative functions.
39- PowerShell scripts from trusted sources or vendors might use character arrays for legitimate obfuscation to protect intellectual property. Verify the script's origin and check for digital signatures or hashes to confirm authenticity.
40- Automated scripts generated by development tools or frameworks could include character array manipulation as part of their standard output. Identify and whitelist these tools if they are commonly used in your environment.
41- Security tools or monitoring solutions might use character arrays in their scripts for legitimate purposes. Cross-reference with known security software and consider excluding these from the detection rule if they are verified as safe.
42- Regularly update the exclusion list to include new trusted scripts or tools as they are introduced into the environment, ensuring that legitimate activities are not flagged as false positives.
43
44### Response and remediation
45
46- Isolate the affected host immediately to prevent further spread of potentially malicious scripts or unauthorized access.
47- Terminate any suspicious PowerShell processes identified by the alert to halt ongoing obfuscation activities.
48- Conduct a thorough review of the script block text and associated logs to identify any malicious payloads or commands executed.
49- Remove any identified malicious scripts or files from the affected system to prevent re-execution.
50- Reset credentials for any user accounts involved in the alert to mitigate potential credential compromise.
51- Update endpoint protection and ensure that AMSI and other security features are fully enabled and configured to detect similar threats.
52- Escalate the incident to the security operations center (SOC) for further analysis and to determine if additional systems are affected.
53"""
54risk_score = 21
55rule_id = "85e2d45e-a3df-4acf-83d3-21805f564ff4"
56setup = """## Setup
57
58The 'PowerShell Script Block Logging' logging policy must be enabled.
59Steps to implement the logging policy with Advanced Audit Configuration:

1
2Steps to implement the logging policy via registry:

 1"""
 2severity = "low"
 3tags = [
 4    "Domain: Endpoint",
 5    "OS: Windows",
 6    "Use Case: Threat Detection",
 7    "Tactic: Defense Evasion",
 8    "Data Source: PowerShell Logs",
 9    "Resources: Investigation Guide",
10]
11timestamp_override = "event.ingested"
12type = "esql"
13
14query = '''
15from logs-windows.powershell_operational* metadata _id, _version, _index
16| where event.code == "4104"
17
18// Filter for scripts that contain the "char" keyword using MATCH, boosts the query performance
19| where powershell.file.script_block_text : "char"
20
21// replace the patterns we are looking for with the 🔥 emoji to enable counting them
22// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1
23| eval Esql.script_block_tmp = replace(
24    powershell.file.script_block_text,
25    """(char\[\]\]\(\d+,\d+[^)]+|(\s?\(\[char\]\d+\s?\)\+){2,})""",
26    "🔥"
27)
28
29// count how many patterns were detected by calculating the number of 🔥 characters inserted
30| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, "🔥", ""))
31
32// keep the fields relevant to the query, although this is not needed as the alert is populated using _id
33| keep
34    Esql.script_block_pattern_count,
35    Esql.script_block_tmp,
36    powershell.file.script_block_text,
37    powershell.file.script_block_id,
38    file.path,
39    powershell.sequence,
40    powershell.total,
41    _id,
42    _index,
43    host.name,
44    agent.id,
45    user.id
46
47// Filter for scripts that match the pattern at least once
48| where Esql.script_block_pattern_count >= 1
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1027"
56name = "Obfuscated Files or Information"
57reference = "https://attack.mitre.org/techniques/T1027/"
58
59[[rule.threat.technique]]
60id = "T1140"
61name = "Deobfuscate/Decode Files or Information"
62reference = "https://attack.mitre.org/techniques/T1140/"
63
64
65[rule.threat.tactic]
66id = "TA0005"
67name = "Defense Evasion"
68reference = "https://attack.mitre.org/tactics/TA0005/"
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1059"
73name = "Command and Scripting Interpreter"
74reference = "https://attack.mitre.org/techniques/T1059/"
75[[rule.threat.technique.subtechnique]]
76id = "T1059.001"
77name = "PowerShell"
78reference = "https://attack.mitre.org/techniques/T1059/001/"
79
80
81
82[rule.threat.tactic]
83id = "TA0002"
84name = "Execution"
85reference = "https://attack.mitre.org/tactics/TA0002/"