heroui logo

Potential PowerShell Obfuscated Script

Elastic Detection Rules

View Source
Summary
This detection rule identifies potentially malicious PowerShell scripts that employ obfuscation techniques to evade security controls. Attackers often utilize such obfuscation methods to bypass the Antimalware Scan Interface (AMSI) and other security mechanisms. The rule analyzes PowerShell script block logging for suspicious patterns commonly associated with obfuscation, including string manipulations, encoding techniques, and non-standard method calls that may indicate malicious intent. It serves as an important measure to detect defense evasion tactics and aids cybersecurity teams in flagging relevant threats based on recognized attack patterns. Comprehensive setup instructions outline enabling PowerShell Script Block Logging to ensure the rule works effectively within the Windows environment. Additionally, the rule references pertinent MITRE ATT&CK techniques that relate to obfuscated information and command execution, providing context for understanding potential attacker behavior.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
  • Logon Session
  • Application Log
ATT&CK Techniques
  • T1027
  • T1140
  • T1059
  • T1059.001
Created: 2024-07-03