Powershell Obfuscation and Escape Characters
Looks for the execution of PowerShell with unusually high counts of characters like ^, +, $, and %. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Powershell Obfuscation and Escape Characters
2id: bb1e6157-bc60-41fc-a395-513ed538fabe
3status: experimental
4description: Looks for the execution of PowerShell with unusually high counts of characters
5 like ^, +, $, and %. Inspired by the 2022 Red Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/powershell/
8author: Micah Babinski
9date: 2022/11/03
10tags:
11 - attack.execution
12 - attack.t1059.003
13 - attack.defense_evasion
14 - attack.t1027
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\powershell.exe'
21 # regex below detects five or more occurrences of the suspicious characters
22 CommandLine|re: '^([^^+$%]*[\^+$%]){5,}[^^+$%]*$'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high```
References
-
PowerShell reclaimed its place as the most prevalent technique we detected in 2023, as adversaries continue to abuse the framework.
Read More
Related rules
- Command Shell Obfuscated Commands
- Base64 Encoding in CMD or Powershell
- Command Shell Bypassing Security Controls
- Command Shell Unusual or Suspicious Process Ancestry
- Gootloader Stage 2 Registry Key Creation