← Library
kqlElastic-2.0from elastic/detection-rules

Deprecated - Potential PowerShell Obfuscated Script

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1027T1027.010T1140T1059T1059.001
Rule sourcerules/windows/defense_evasion_posh_obfuscation.toml
event.category:process and host.os.type:windows and
  powershell.file.script_block_text : (
    "[string]::join" or
    "-Join" or
    "[convert]::toint16" or
    "[char][int]$_" or
    ("ConvertTo-SecureString" and "PtrToStringAuto") or
    "-BXor" or
    ("replace" and "char") or
    "[array]::reverse" or
    "-replace"
  ) and
  powershell.file.script_block_text : (
    ("$pSHoMe[" and "+$pSHoMe[") or
    ("$ShellId[" and "+$ShellId[") or
    ("$env:ComSpec[4" and "25]-Join") or
    (("Set-Variable" or "SV" or "Set-Item") and "OFS") or
    ("*MDR*" and "Name[3,11,2]") or
    ("$VerbosePreference" and "[1,3]+'X'-Join''") or
    ("rahc" or "ekovin" or "gnirts" or "ecnereferpesobrev" or "ecalper" or "cepsmoc" or "dillehs") or
    ("System.Management.Automation.$([cHAr]" or "System.$([cHAr]" or ")+[cHAR]([byte]")
  ) and
  not powershell.file.script_block_text : (
        ("Copyright (c) 2018 Ansible Project" or "Export-ModuleMember -Function Add-CSharpType") and
        ("[Object]$AnsibleModule" or "$AnsibleModule.Tmpdir")
  )