Potential PowerShell Obfuscated Script
editPotential PowerShell Obfuscated Script
editIdentifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI).
Rule type: query
Rule indices:
- winlogbeat-*
- logs-windows.powershell*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Defense Evasion
- Data Source: PowerShell Logs
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Setup
editSetup
The PowerShell Script Block Logging logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)
Steps to implement the logging policy via registry:
reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
Rule query
editevent.category:process and host.os.type:windows and powershell.file.script_block_text : ( "[string]::join" or "-Join" or "[convert]::toint16" or "[char][int]$_" or ("ConvertTo-SecureString" and "PtrToStringAuto") or ".GetNetworkCredential().password" or "-BXor" or ("replace" and "char") or "[array]::reverse" ) and powershell.file.script_block_text : ( ("$pSHoMe[" and "+$pSHoMe[") or ("$ShellId[" and "+$ShellId[") or ("$env:ComSpec[4" and "25]-Join") or (("Set-Variable" or "SV" or "Set-Item") and "OFS") or ("*MDR*" and "Name[3,11,2]") or ("$VerbosePreference" and "[1,3]+'X'-Join''") or ("rahc" or "ekovin" or "gnirts" or "ecnereferpesobrev" or "ecalper" or "cepsmoc" or "dillehs") )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Obfuscated Files or Information
- ID: T1027
- Reference URL: https://attack.mitre.org/techniques/T1027/
-
Technique:
- Name: Deobfuscate/Decode Files or Information
- ID: T1140
- Reference URL: https://attack.mitre.org/techniques/T1140/
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
-
Sub-technique:
- Name: PowerShell
- ID: T1059.001
- Reference URL: https://attack.mitre.org/techniques/T1059/001/