detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard
verified publisher icon elastic

[New Rule] Potential PowerShell Obfuscation via Character Array Reconstruction

Open w0rk3r opened this issue 8 months ago • 3 comments

Issues

Part of https://github.com/elastic/ia-trade-team/issues/533

Summary

Identifies PowerShell scripts that use character arrays and runtime string reconstruction as a form of obfuscation. This technique breaks strings into individual characters, often using constructs like char[] with index-based access or joining logic. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI).

0 hits last 90d on telemetry

Additional information

From my testing, the | KEEP condition doesn’t need to specify any fields other than the metadata ones (_id and _index), as the engine appears to populate the alert using them. However, I’m keeping it as-is because it significantly improves performance in Discovery and makes the results more understandable if someone uses the query for hunting.

image

Sample Match

image

w0rk3r avatar Apr 14 '25 17:04 w0rk3r

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • [ ] Detailed description of the suggested changes.
  • [ ] Provide example JSON data or screenshots.
  • [ ] Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • [ ] Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • [ ] Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • [ ] Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • [ ] Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • [ ] Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • [ ] Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • [ ] Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • [ ] Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • [ ] Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • [ ] updated_date matches the date of tuning PR merged.
  • [ ] min_stack_version should support the widest stack versions.
  • [ ] name and description should be descriptive and not include typos.
  • [ ] query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • [ ] Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • [ ] Ensure that the tuned rule has a low false positive rate.

github-actions[bot] avatar Apr 14 '25 17:04 github-actions[bot]

⛔️ Test failed

Results
  • ❌ Potential PowerShell Obfuscation via Character Array Reconstruction (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

tradebot-elastic avatar Apr 14 '25 17:04 tradebot-elastic

⛔️ Test failed

Results
  • ❌ Potential PowerShell Obfuscation via Character Array Reconstruction (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

tradebot-elastic avatar Apr 15 '25 15:04 tradebot-elastic

⛔️ Test failed

Results
  • ❌ Potential PowerShell Obfuscation via Character Array Reconstruction (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

tradebot-elastic avatar May 06 '25 12:05 tradebot-elastic