PowerShell Obfuscation via Negative Index String Reversal

  1[metadata]
  2creation_date = "2025/04/14"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/02/09"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects PowerShell scripts that uses negative index ranges (for example, $var[-1..0]) to reverse strings or arrays and
 11rebuild content at runtime. Attackers use index reversal to reconstruct hidden commands or payloads and evade static
 12analysis and AMSI.
 13"""
 14from = "now-9m"
 15language = "esql"
 16license = "Elastic License v2"
 17name = "PowerShell Obfuscation via Negative Index String Reversal"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This guide was created by humans with the assistance of generative AI. While its contents have been manually curated to include the most valuable information, always validate assumptions and adjust procedures to match your internal runbooks and incident triage and response policies.
 22
 23### Investigating PowerShell Obfuscation via Negative Index String Reversal
 24
 25This alert flags PowerShell script block content that uses negative index ranges to reverse strings or arrays and rebuild content at runtime. This pattern can be used to hide command text and reduce readability during review, so the primary goal is to recover the reconstructed content and determine what it does in the observed execution context.
 26
 27#### Key alert fields to review
 28
 29- `user.name`, `user.domain`, `user.id`: Account execution context for correlation, prioritization, and scoping.
 30- `host.name`, `host.id`: Host execution context for correlation, prioritization, and scoping.
 31- `file.path`, `file.directory`, `file.name`: File-origin context when the script block is sourced from an on-disk file.
 32- `powershell.file.script_block_text`: Script block content that matched the detection logic.
 33- `powershell.file.script_block_id`, `powershell.sequence`, `powershell.total`: Script block metadata to pivot to other fragments or reconstruct full script content when split across multiple events.
 34- `Esql.script_block_tmp`: Transformed script block where detection patterns replace original content with a marker to support scoring/counting and quickly spot match locations.
 35- `Esql.script_block_pattern_count`: Count of matches for the detection pattern(s) observed in the script block content.
 36- `powershell.file.script_block_entropy_bits`: Shannon entropy of the script block. Higher values may indicate obfuscation.
 37- `powershell.file.script_block_surprisal_stdev`: Standard deviation of surprisal across the script block. Low values indicate uniform randomness. High values indicate mixed patterns and variability.
 38- `powershell.file.script_block_unique_symbols`: Count of distinct characters present in the script block.
 39- `powershell.file.script_block_length`: Script block length (size) context.
 40
 41#### Possible investigation steps
 42
 43- Review `powershell.file.script_block_text` and locate the reversal logic. Use `Esql.script_block_tmp` to quickly find match positions, then identify:
 44  - The variable or array being reversed
 45  - The reconstructed output (string, byte array, or command fragment)
 46  - The sink where the output is used (for example, passed into a dynamic execution routine, used as a URL, or written to disk)
 47- Reconstruct the final value produced by the reversal. Focus on what the script is trying to rebuild (commands, URLs, file paths, registry paths, encoded blobs, or arguments) and record the recovered strings for scoping.
 48- If the script block is fragmented, pivot on `powershell.file.script_block_id` and use `powershell.sequence` and `powershell.total` to rebuild the full script in order. Reassess intent based on the complete content rather than a single fragment.
 49- Use `Esql.script_block_pattern_count` to prioritize reviews:
 50  - Single-use reversal may be utility logic and requires context to judge
 51  - Repeated reversal across a long script is more consistent with obfuscation wrappers
 52- Use script complexity signals to guide triage:
 53  - High `powershell.file.script_block_entropy_bits` and high `powershell.file.script_block_unique_symbols` can indicate encoded or staged content
 54  - Compare `powershell.file.script_block_surprisal_stdev` with the script content to determine whether the script mixes readable logic with high-randomness segments
 55- Validate execution context with `user.name`, `user.domain`, `user.id`, `host.name`, and `host.id`. Prioritize investigation when the user is unexpected for the host, the host is sensitive, or similar activity is new for that account.
 56- Review `file.path`, `file.directory`, and `file.name` (if present) to understand script origin. Treat unknown locations, new or renamed scripts, and ambiguous naming as higher risk, and check for additional script blocks tied to the same path.
 57- Scope related activity by searching for additional PowerShell script block events on the same `host.id` and `user.id` around `@timestamp`, and by pivoting on the same `powershell.file.script_block_id`. Look for:
 58  - Follow-on script blocks with clearer (deobfuscated) commands
 59  - Repeated use of similar reversal segments or reconstructed indicators
 60- If other endpoint telemetry is available, correlate activity on the same host and time window to identify what happened next (process launches, network connections, file writes, or other changes) and validate whether outcomes align with the reconstructed content.
 61
 62### False positive analysis
 63
 64- Legitimate scripts may reverse arrays or strings for formatting, parsing, or testing. These cases typically remain readable end-to-end and do not rely on multiple layers of reconstruction to produce executable behavior.
 65- Developer utilities and automation tooling can include dense string manipulation. Validate whether the observed `file.path` and execution context (`user.name`, `host.name`) align with approved workflows and whether the same script content recurs consistently across expected hosts.
 66- If activity is confirmed benign, prefer context-based tuning using stable attributes visible in the alert (for example, consistent `file.path` and recognizable script content patterns) rather than suppressing the technique broadly.
 67
 68### Response and remediation
 69
 70- If the reconstructed content indicates malicious behavior, isolate the affected host to limit further execution and reduce the risk of lateral movement.
 71- Preserve evidence by retaining the full `powershell.file.script_block_text` and all related fragments grouped by `powershell.file.script_block_id`. Capture the reconstructed strings and relevant metadata (`powershell.sequence`, `powershell.total`, `Esql.script_block_pattern_count`) in case notes.
 72- Identify and contain the execution source. If an unauthorized on-disk script is referenced by `file.path`, remove or quarantine it and investigate how it was introduced using your standard incident response workflow.
 73- Investigate the associated account (`user.id`) for signs of compromise. Apply account controls (credential reset, session invalidation, privilege review) based on your procedures and observed scope.
 74- Hunt for additional exposure by pivoting on recovered indicators and on recurrence of the reversal technique across hosts and users. Remediate any additional impacted endpoints identified during scoping.
 75- After containment, improve preventative controls appropriate for your environment, such as restricting PowerShell usage to approved users/hosts and enhancing monitoring for obfuscation and dynamic execution patterns.
 76"""
 77risk_score = 21
 78rule_id = "9edd1804-83c7-4e48-b97d-c776b4c97564"
 79setup = """## Setup
 80
 81PowerShell Script Block Logging must be enabled to generate the events used by this rule (e.g., 4104).
 82Setup instructions: https://ela.st/powershell-logging-setup
 83"""
 84severity = "low"
 85tags = [
 86    "Domain: Endpoint",
 87    "OS: Windows",
 88    "Use Case: Threat Detection",
 89    "Tactic: Defense Evasion",
 90    "Data Source: PowerShell Logs",
 91    "Resources: Investigation Guide",
 92]
 93timestamp_override = "event.ingested"
 94type = "esql"
 95
 96query = '''
 97from logs-windows.powershell_operational* metadata _id, _version, _index
 98| where event.code == "4104"
 99
100// Filter out smaller scripts that are unlikely to implement obfuscation using the patterns we are looking for
101| eval Esql.script_block_length = length(powershell.file.script_block_text)
102| where Esql.script_block_length > 500
103
104// replace the patterns we are looking for with the 🔥 emoji to enable counting them
105// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1
106| eval Esql.script_block_tmp = replace(
107    powershell.file.script_block_text,
108    """\$\w+\[\-\s?1\.\.""",
109    "🔥"
110)
111
112// count how many patterns were detected by calculating the number of 🔥 characters inserted
113| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, "🔥", ""))
114
115// keep the fields relevant to the query, although this is not needed as the alert is populated using _id
116| keep
117    Esql.script_block_pattern_count,
118    Esql.script_block_length,
119    Esql.script_block_tmp,
120    powershell.file.*,
121    file.name,
122    file.path,
123    powershell.sequence,
124    powershell.total,
125    _id,
126    _version,
127    _index,
128    host.name,
129    host.id,
130    agent.id,
131    user.id
132
133// Filter for scripts that match the pattern at least once
134| where Esql.script_block_pattern_count >= 1
135
136// FP Patterns
137| where not powershell.file.script_block_text like "*GENESIS-5654*"
138
139| where file.name not like ("PSFzf.psm1", "Tenable_API_AssetLists_IPv6Seeder.ps1", "Utility.ps1")
140  // ESQL requires this condition, otherwise it only returns matches where file.name exists.
141  or file.name is null
142'''
143
144
145[[rule.threat]]
146framework = "MITRE ATT&CK"
147[[rule.threat.technique]]
148id = "T1027"
149name = "Obfuscated Files or Information"
150reference = "https://attack.mitre.org/techniques/T1027/"
151
152[[rule.threat.technique]]
153id = "T1140"
154name = "Deobfuscate/Decode Files or Information"
155reference = "https://attack.mitre.org/techniques/T1140/"
156
157
158[rule.threat.tactic]
159id = "TA0005"
160name = "Defense Evasion"
161reference = "https://attack.mitre.org/tactics/TA0005/"
162[[rule.threat]]
163framework = "MITRE ATT&CK"
164[[rule.threat.technique]]
165id = "T1059"
166name = "Command and Scripting Interpreter"
167reference = "https://attack.mitre.org/techniques/T1059/"
168[[rule.threat.technique.subtechnique]]
169id = "T1059.001"
170name = "PowerShell"
171reference = "https://attack.mitre.org/techniques/T1059/001/"
172
173
174
175[rule.threat.tactic]
176id = "TA0002"
177name = "Execution"
178reference = "https://attack.mitre.org/tactics/TA0002/"
179
180[rule.investigation_fields]
181field_names = [
182    "@timestamp",
183    "user.name",
184    "user.id",
185    "user.domain",
186    "powershell.file.script_block_text",
187    "powershell.file.script_block_id",
188    "powershell.sequence",
189    "powershell.total",
190    "file.path",
191    "file.directory",
192    "file.name",
193    "process.pid",
194    "host.name",
195    "host.id",
196    "powershell.file.script_block_length"
197]