Potential PowerShell Obfuscation via Character Array Reconstruction

 1[metadata]
 2creation_date = "2025/04/14"
 3integration = ["windows"]
 4maturity = "production"
 5min_stack_comments = "The ES|QL MATCH operator was introduced in 8.17"
 6min_stack_version = "8.17.0"
 7updated_date = "2025/04/14"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies PowerShell scripts that use character arrays and runtime string reconstruction as a form of obfuscation. This
13technique breaks strings into individual characters, often using constructs like char[] with index-based access or
14joining logic. These methods are designed to evade static analysis and bypass security protections such as the
15Antimalware Scan Interface (AMSI).
16"""
17from = "now-9m"
18language = "esql"
19license = "Elastic License v2"
20name = "Potential PowerShell Obfuscation via Character Array Reconstruction"
21risk_score = 21
22rule_id = "85e2d45e-a3df-4acf-83d3-21805f564ff4"
23setup = """## Setup
24
25The 'PowerShell Script Block Logging' logging policy must be enabled.
26Steps to implement the logging policy with Advanced Audit Configuration:

1
2Steps to implement the logging policy via registry:

 1"""
 2severity = "low"
 3tags = [
 4    "Domain: Endpoint",
 5    "OS: Windows",
 6    "Use Case: Threat Detection",
 7    "Tactic: Defense Evasion",
 8    "Data Source: PowerShell Logs",
 9]
10timestamp_override = "event.ingested"
11type = "esql"
12
13query = '''
14FROM logs-windows.powershell_operational* metadata _id, _version, _index
15| WHERE event.code == "4104"
16
17// Filter for scripts that contain the "char" keyword using MATCH, boosts the query performance
18| WHERE powershell.file.script_block_text : "char"
19
20// Replace string format expressions with 🔥 to enable counting the occurrence of the patterns we are looking for
21// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1
22| EVAL replaced_with_fire = REPLACE(powershell.file.script_block_text, """(char\[\]\]\(\d+,\d+[^)]+|(\s?\(\[char\]\d+\s?\)\+){2,})""", "🔥")
23
24// Count how many patterns were detected by calculating the number of 🔥 characters inserted
25| EVAL count = LENGTH(replaced_with_fire) - LENGTH(REPLACE(replaced_with_fire, "🔥", ""))
26
27// Keep the fields relevant to the query, although this is not needed as the alert is populated using _id
28| KEEP count, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id
29| WHERE count >= 1
30'''
31
32
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35[[rule.threat.technique]]
36id = "T1027"
37name = "Obfuscated Files or Information"
38reference = "https://attack.mitre.org/techniques/T1027/"
39
40[[rule.threat.technique]]
41id = "T1140"
42name = "Deobfuscate/Decode Files or Information"
43reference = "https://attack.mitre.org/techniques/T1140/"
44
45
46[rule.threat.tactic]
47id = "TA0005"
48name = "Defense Evasion"
49reference = "https://attack.mitre.org/tactics/TA0005/"
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1059"
54name = "Command and Scripting Interpreter"
55reference = "https://attack.mitre.org/techniques/T1059/"
56[[rule.threat.technique.subtechnique]]
57id = "T1059.001"
58name = "PowerShell"
59reference = "https://attack.mitre.org/techniques/T1059/001/"
60
61
62
63[rule.threat.tactic]
64id = "TA0002"
65name = "Execution"
66reference = "https://attack.mitre.org/tactics/TA0002/"