Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation

 1[metadata]
 2creation_date = "2025/04/15"
 3integration = ["windows"]
 4maturity = "production"
 5updated_date = "2025/07/16"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies PowerShell scripts that use concatenated strings within dynamic command invocation (&() or .()) as a form of
11obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware
12Scan Interface (AMSI).
13"""
14from = "now-9m"
15language = "esql"
16license = "Elastic License v2"
17name = "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation"
18note = """ ## Triage and analysis
19
20> **Disclaimer**:
21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
22
23### Investigating Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation
24
25PowerShell is a powerful scripting language used for task automation and configuration management in Windows environments. Adversaries exploit its capabilities by obfuscating commands to evade detection, often using concatenated strings in dynamic invocations. This detection rule identifies such obfuscation by analyzing script patterns, specifically looking for concatenated strings within dynamic command invocations, which are indicative of attempts to bypass security measures like AMSI. By counting these patterns, the rule effectively flags suspicious scripts, aiding in the identification of potential threats.
26
27### Possible investigation steps
28
29- Review the `powershell.file.script_block_text` field to understand the content and purpose of the script, focusing on the concatenated strings and dynamic command invocations.
30- Check the `host.name` and `user.id` fields to identify the machine and user account associated with the execution of the suspicious script, which can help determine if the activity is expected or anomalous.
31- Analyze the `file.path` field to locate the script's source or storage location, which may provide additional context or indicate if the script is part of a known application or process.
32- Investigate the `powershell.file.script_block_id` and `powershell.sequence` fields to trace the execution sequence and correlate it with other related PowerShell activities, which might reveal a broader pattern of behavior.
33- Assess the `agent.id` field to determine the specific endpoint agent involved, which can assist in further endpoint-specific investigations or actions.
34
35### False positive analysis
36
37- Scripts with legitimate concatenated strings for dynamic command execution may trigger the rule. Review the script context to determine if the concatenation serves a valid administrative purpose.
38- Automated scripts from trusted sources that use concatenation for modularity or readability might be flagged. Consider adding these scripts to an allowlist if they are verified as safe.
39- Development or testing environments where PowerShell scripts are frequently modified and tested could generate false positives. Implement exceptions for known development hosts or user accounts.
40- Security tools or monitoring solutions that use PowerShell for legitimate operations may inadvertently match the pattern. Identify these tools and exclude their operations from the rule.
41- Regularly review and update the exclusion list to ensure it reflects the current environment and does not inadvertently allow malicious activity.
42
43### Response and remediation
44
45- Isolate the affected host immediately to prevent further execution of potentially malicious scripts and limit lateral movement within the network.
46- Terminate any suspicious PowerShell processes identified by the alert to halt the execution of obfuscated commands.
47- Conduct a thorough review of the script block text and associated script block ID to understand the intent and potential impact of the obfuscated commands.
48- Remove any unauthorized or malicious scripts from the affected system and ensure that all legitimate scripts are verified and signed.
49- Restore the affected system from a known good backup if any malicious activity is confirmed, ensuring that all data integrity checks are performed.
50- Escalate the incident to the security operations team for further analysis and to determine if additional systems have been compromised.
51- Update endpoint protection and monitoring tools to enhance detection capabilities for similar obfuscation techniques, leveraging insights from the MITRE ATT&CK framework.
52"""
53risk_score = 21
54rule_id = "083383af-b9a4-42b7-a463-29c40efe7797"
55setup = """## Setup
56
57The 'PowerShell Script Block Logging' logging policy must be enabled.
58Steps to implement the logging policy with Advanced Audit Configuration:

1
2Steps to implement the logging policy via registry:

 1"""
 2severity = "low"
 3tags = [
 4    "Domain: Endpoint",
 5    "OS: Windows",
 6    "Use Case: Threat Detection",
 7    "Tactic: Defense Evasion",
 8    "Data Source: PowerShell Logs",
 9    "Resources: Investigation Guide",
10]
11timestamp_override = "event.ingested"
12type = "esql"
13
14query = '''
15from logs-windows.powershell_operational* metadata _id, _version, _index
16| where event.code == "4104" and powershell.file.script_block_text like "*+*"
17
18// replace the patterns we are looking for with the 🔥 emoji to enable counting them
19// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1
20| eval Esql.script_block_tmp = replace(
21    powershell.file.script_block_text,
22    """[.&]\(\s*(['"][A-Za-z0-9.-]+['"]\s*\+\s*)+['"][A-Za-z0-9.-]+['"]\s*\)""",
23    "🔥"
24)
25
26// count how many patterns were detected by calculating the number of 🔥 characters inserted
27| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, "🔥", ""))
28
29// keep the fields relevant to the query, although this is not needed as the alert is populated using _id
30| keep
31    Esql.script_block_pattern_count,
32    Esql.script_block_tmp,
33    powershell.file.script_block_text,
34    powershell.file.script_block_id,
35    file.path,
36    powershell.sequence,
37    powershell.total,
38    _id,
39    _index,
40    host.name,
41    agent.id,
42    user.id
43
44// Filter for scripts that match the pattern at least once
45| where Esql.script_block_pattern_count >= 1
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1027"
53name = "Obfuscated Files or Information"
54reference = "https://attack.mitre.org/techniques/T1027/"
55
56[[rule.threat.technique]]
57id = "T1140"
58name = "Deobfuscate/Decode Files or Information"
59reference = "https://attack.mitre.org/techniques/T1140/"
60
61
62[rule.threat.tactic]
63id = "TA0005"
64name = "Defense Evasion"
65reference = "https://attack.mitre.org/tactics/TA0005/"
66[[rule.threat]]
67framework = "MITRE ATT&CK"
68[[rule.threat.technique]]
69id = "T1059"
70name = "Command and Scripting Interpreter"
71reference = "https://attack.mitre.org/techniques/T1059/"
72[[rule.threat.technique.subtechnique]]
73id = "T1059.001"
74name = "PowerShell"
75reference = "https://attack.mitre.org/techniques/T1059/001/"
76
77
78
79[rule.threat.tactic]
80id = "TA0002"
81name = "Execution"
82reference = "https://attack.mitre.org/tactics/TA0002/"