Potential PowerShell Obfuscation Using Character Join

calendar Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1027 attack.t1059.001  ·
Share on: linkedin copy

Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation

Sigma rule (View on GitHub)

 1title: Potential PowerShell Obfuscation Using Character Join
 2id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
 3related:
 4    - id: 96cd126d-f970-49c4-848a-da3a09f55c55
 5      type: derived
 6status: test
 7description: Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
 8references:
 9    - Internal Research
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-01-09
12tags:
13    - attack.defense-evasion
14    - attack.execution
15    - attack.t1027
16    - attack.t1059.001
17logsource:
18    product: windows
19    category: ps_script
20    definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22    selection:
23        # Example:
24        #   Set-Alias -Name Y -Value (-join("Ne","w-O","bje","ct"))
25        #   Set-Alias -Name X -Value (-join("Inv","oke","-","Exp","ression"))
26        ScriptBlockText|contains|all:
27            - '-Alias' # For both "New-Alias" and "Set-Alias"
28            - ' -Value (-join('
29    condition: selection
30falsepositives:
31    - Unknown
32level: low

References

Related rules

to-top