Potential PowerShell Obfuscation via Reverse Keywords

  1[metadata]
  2creation_date = "2025/04/14"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/02/09"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects PowerShell scripts containing reversed keyword strings associated with execution or network activity (for
 11example, ekovni, noisserpxe, daolnwod, tcejbo-wen, tcejboimw, etc.). Attackers reverse keywords and reconstruct them at
 12runtime to hide intent and evade static detection and AMSI.
 13"""
 14from = "now-9m"
 15language = "esql"
 16license = "Elastic License v2"
 17name = "Potential PowerShell Obfuscation via Reverse Keywords"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This guide was created by humans with the assistance of generative AI. While its contents have been manually curated to include the most valuable information, always validate assumptions and adjust procedures to match your internal runbooks and incident triage and response policies.
 22
 23### Investigating Potential PowerShell Obfuscation via Reverse Keywords
 24
 25This alert indicates PowerShell script block content contains multiple reversed keyword strings commonly associated with execution, string manipulation, environment discovery, or networking. Reversing strings is frequently paired with runtime reconstruction (for example, reversing character arrays or joining string fragments) to reduce readability and evade simple content inspection.
 26
 27Determine whether the script is part of expected administrative automation, software tooling, or an unauthorized execution chain. Prioritize analysis that reconstructs the full script, deobfuscates the reversed tokens, and identifies any follow-on behaviors such as dynamic execution, network access, or system discovery.
 28
 29#### Key alert fields to review
 30
 31- `user.name`, `user.domain`, `user.id`: Account execution context for correlation, prioritization, and scoping.
 32- `host.name`, `host.id`: Host execution context for correlation, prioritization, and scoping.
 33- `file.path`, `file.directory`, `file.name`: File-origin context when the script block is sourced from an on-disk file.
 34- `powershell.file.script_block_text`: Script block content that matched the detection logic.
 35- `powershell.file.script_block_id`, `powershell.sequence`, `powershell.total`: Script block metadata to pivot to other fragments or reconstruct full script content when split across multiple events.
 36- `Esql.script_block_tmp`: Transformed script block where detection patterns replace original content with a marker to support scoring/counting and quickly spot match locations.
 37- `Esql.script_block_pattern_count`: Count of matches for the detection pattern(s) observed in the script block content.
 38- `powershell.file.script_block_entropy_bits`: Shannon entropy of the script block. Higher values may indicate obfuscation.
 39- `powershell.file.script_block_surprisal_stdev`: Standard deviation of surprisal across the script block. Low values indicate uniform randomness. High values indicate mixed patterns and variability.
 40- `powershell.file.script_block_unique_symbols`: Count of distinct characters present in the script block.
 41- `powershell.file.script_block_length`: Script block length (size) context.
 42
 43#### Possible investigation steps
 44
 45- Identify the execution scope and ownership:
 46  - Review `host.name` / `host.id` to confirm the affected endpoint and its criticality.
 47  - Review `user.id` (and `user.name` / `user.domain` if available) to understand the account context and whether this user is expected to run PowerShell on this host.
 48- Prioritize based on obfuscation signals:
 49  - Review `Esql.script_block_pattern_count`; higher counts suggest more extensive keyword hiding and can increase suspicion.
 50  - Use `powershell.file.script_block_length`, `powershell.file.script_block_entropy_bits`, `powershell.file.script_block_unique_symbols`, and `powershell.file.script_block_surprisal_stdev` to gauge how heavily obfuscated or machine-generated the content may be (treat these as supporting context, not proof of maliciousness).
 51- Reconstruct the full script content when split:
 52  - If `powershell.total` is greater than 1, retrieve all events with the same `powershell.file.script_block_id` and order them by `powershell.sequence` to rebuild the complete script block content.
 53  - Preserve both the reconstructed script and the original per-event `powershell.file.script_block_text` to maintain context and ordering.
 54- Deobfuscate and interpret intent:
 55  - Review `powershell.file.script_block_text` for reversed tokens and reverse them to identify the intended keywords and operations (for example, indicators of dynamic execution, downloads, socket/connection handling, WMI usage, or Win32 references).
 56  - Look for runtime string reconstruction patterns in the script content (for example, joins, character array operations, or replace operations) that turn reversed fragments into executable commands or parameters.
 57  - Use `Esql.script_block_tmp` to quickly locate the matched areas, then validate findings against `powershell.file.script_block_text`.
 58- Evaluate file-origin context (when present):
 59  - Review `file.path` (and `file.directory` / `file.name` if available) to determine whether the script is associated with an on-disk file and whether that location aligns with your organization's expected script locations and deployment practices.
 60  - If an on-disk script is indicated, coordinate collection of the referenced file for offline analysis and determine whether it is present on other systems.
 61- Extract and operationalize indicators:
 62  - From `powershell.file.script_block_text`, extract any embedded indicators such as hostnames, IP addresses, URLs, ports, file paths, or encoded blobs.
 63  - Use extracted indicators to scope for related activity on the same `host.id` and across other hosts where the same `user.id` is active, focusing on the alert timeframe and immediately adjacent activity.
 64- Correlate with adjacent telemetry to identify the execution chain and impact (as available in your environment):
 65  - Process activity: identify the PowerShell host process and the initiating parent process to understand whether execution was interactive, scheduled, or launched by another program.
 66  - Network activity: look for outbound connections aligned with the alert timestamp, especially if deobfuscated content suggests downloads or socket connections.
 67  - File and registry activity: look for payload staging, new or modified files, or persistence-related changes that occur shortly after the script block execution.
 68  - Authentication activity: review for suspicious logons, remote session creation, or lateral movement attempts around the same time on the affected host.
 69- Determine severity and next actions:
 70  - If the deobfuscated content indicates remote retrieval, execution of downloaded content, credential access, persistence, or lateral movement, treat the alert as potentially malicious and escalate for response.
 71  - If the script appears benign, document the validated purpose, expected owner, and any recurring identifiers (such as file location patterns) to support future triage.
 72
 73### False positive analysis
 74
 75- Internal scripts or tooling may use reversed strings as lightweight obfuscation to conceal configuration values or reduce casual readability. Validate the script's ownership, change history, and whether its presence and execution timing are expected for `host.id` and `user.id`.
 76- Commercial software, endpoint management agents, or security tooling may generate or embed obfuscated PowerShell during installation, updates, or health checks. Validate whether the activity aligns with known maintenance windows, expected endpoints, and consistent script content and `file.path` patterns.
 77- Authorized security testing may intentionally use string reversal. Confirm the scope, timing, and target hosts with the appropriate stakeholders before closing the alert.
 78
 79### Response and remediation
 80
 81- If activity is suspicious or unauthorized, contain the affected host to prevent further script execution and potential follow-on actions.
 82- Preserve evidence:
 83  - Retain the full `powershell.file.script_block_text` (including all segments reconstructed via `powershell.file.script_block_id`, `powershell.sequence`, and `powershell.total`).
 84  - Retain `file.path` context and the alert metadata needed to pivot (such as `host.id` and `user.id`).
 85- Identify and remediate the execution source:
 86  - Determine how PowerShell was launched (interactive, scheduled, or by another process) using correlated telemetry, and remove the triggering mechanism.
 87  - If an on-disk script is involved, remediate the file at `file.path` and any associated payloads or artifacts identified during analysis.
 88- Scope and hunt:
 89  - Search for the same or similar obfuscated content and extracted indicators across other endpoints, prioritizing systems accessed by the same `user.id` and systems with similar `file.path` patterns.
 90- Account actions:
 91  - If account misuse is suspected, follow organizational procedures to contain the account (for example, credential reset and session revocation) and review recent activity for additional suspicious behavior.
 92- Recovery and hardening:
 93  - Verify PowerShell logging coverage and retention are sufficient for incident response, and monitor for recurrence of similar reversed-keyword patterns on affected hosts and users.
 94"""
 95risk_score = 21
 96rule_id = "f38633f4-3b31-4c80-b13d-e77c70ce8254"
 97setup = """## Setup
 98
 99PowerShell Script Block Logging must be enabled to generate the events used by this rule (e.g., 4104).
100Setup instructions: https://ela.st/powershell-logging-setup
101"""
102severity = "low"
103tags = [
104    "Domain: Endpoint",
105    "OS: Windows",
106    "Use Case: Threat Detection",
107    "Tactic: Defense Evasion",
108    "Data Source: PowerShell Logs",
109    "Resources: Investigation Guide",
110]
111timestamp_override = "event.ingested"
112type = "esql"
113
114query = '''
115from logs-windows.powershell_operational* metadata _id, _version, _index
116| where event.code == "4104"
117
118// Filter for scripts that contains these keywords using MATCH, boosts the query performance,
119// match will ignore the | and look for the individual words
120| where powershell.file.script_block_text : "rahc|metsys|stekcos|tcejboimw|ecalper|ecnerferpe|noitcennoc|nioj|eman|vne|gnirts|tcejbo-wen|_23niw|noisserpxe|ekovni|daolnwod"
121
122// replace the patterns we are looking for with the 🔥 emoji to enable counting them
123// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1
124| eval Esql.script_block_tmp = replace(
125    powershell.file.script_block_text,
126    """(?i)(rahc|metsys|stekcos|tcejboimw|ecalper|ecnerferpe|noitcennoc|nioj|eman\.|:vne$|gnirts|tcejbo-wen|_23niw|noisserpxe|ekovni|daolnwod)""",
127    "🔥"
128)
129
130// count how many patterns were detected by calculating the number of 🔥 characters inserted
131| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, "🔥", ""))
132
133// keep the fields relevant to the query, although this is not needed as the alert is populated using _id
134| keep
135    Esql.script_block_pattern_count,
136    Esql.script_block_tmp,
137    powershell.file.*,
138    file.path,
139    powershell.sequence,
140    powershell.total,
141    _id,
142    _version,
143    _index,
144    host.name,
145    host.id,
146    agent.id,
147    user.id
148
149// Filter for scripts that match the pattern at least twice
150| where Esql.script_block_pattern_count >= 2
151'''
152
153
154[[rule.threat]]
155framework = "MITRE ATT&CK"
156[[rule.threat.technique]]
157id = "T1027"
158name = "Obfuscated Files or Information"
159reference = "https://attack.mitre.org/techniques/T1027/"
160
161[[rule.threat.technique]]
162id = "T1140"
163name = "Deobfuscate/Decode Files or Information"
164reference = "https://attack.mitre.org/techniques/T1140/"
165
166
167[rule.threat.tactic]
168id = "TA0005"
169name = "Defense Evasion"
170reference = "https://attack.mitre.org/tactics/TA0005/"
171[[rule.threat]]
172framework = "MITRE ATT&CK"
173[[rule.threat.technique]]
174id = "T1059"
175name = "Command and Scripting Interpreter"
176reference = "https://attack.mitre.org/techniques/T1059/"
177[[rule.threat.technique.subtechnique]]
178id = "T1059.001"
179name = "PowerShell"
180reference = "https://attack.mitre.org/techniques/T1059/001/"
181
182
183
184[rule.threat.tactic]
185id = "TA0002"
186name = "Execution"
187reference = "https://attack.mitre.org/tactics/TA0002/"
188
189[rule.investigation_fields]
190field_names = [
191    "@timestamp",
192    "user.name",
193    "user.id",
194    "user.domain",
195    "powershell.file.script_block_text",
196    "powershell.file.script_block_id",
197    "powershell.sequence",
198    "powershell.total",
199    "file.path",
200    "file.directory",
201    "file.name",
202    "process.pid",
203    "host.name",
204    "host.id",
205    "powershell.file.script_block_length"
206]