Jonhnathan
Jonhnathan
## Issues Part of https://github.com/elastic/ia-trade-team/issues/533 ## Summary Identifies PowerShell scripts that use string reordering and runtime reconstruction techniques as a form of obfuscation. These methods are designed to evade static...
## Issues Part of https://github.com/elastic/ia-trade-team/issues/533 ## Summary Identifies PowerShell scripts that use string concatenation as a form of obfuscation. These methods are designed to evade static analysis and bypass security...
## Issues Part of https://github.com/elastic/ia-trade-team/issues/533 ## Summary Identifies PowerShell scripts that use character arrays and runtime string reconstruction as a form of obfuscation. This technique breaks strings into individual characters,...
## Issues Part of https://github.com/elastic/ia-trade-team/issues/533 ## Summary Identifies PowerShell scripts with an abnormally high proportion of non-alphanumeric characters, often resulting from encoding, string mangling, or dynamic code generation. High volume...
## Issues Part of https://github.com/elastic/ia-trade-team/issues/533 ## Summary Identifies PowerShell scripts that use backtick-escaped characters inside ${} variable expansion as a form of obfuscation. These methods are designed to evade static...
## Issues Part of https://github.com/elastic/ia-trade-team/issues/533 ## Summary Identifies PowerShell scripts with a disproportionately high number of numeric characters, often indicating the presence of obfuscated or encoded payloads. This behavior is...
## Issues Part of https://github.com/elastic/ia-trade-team/issues/533 ## Summary Identifies PowerShell scripts with an unusually high proportion of whitespace and special characters, often indicative of obfuscation. This behavior is commonly associated with...
## Issues Part of https://github.com/elastic/ia-trade-team/issues/533 ## Summary Identifies PowerShell scripts that reconstruct the IEX (Invoke-Expression) command at runtime using indexed slices of environment variables. This technique leverages character access and...
## Issues Part of https://github.com/elastic/ia-trade-team/issues/533 ## Summary Identifies PowerShell scripts that reconstruct the IEX (Invoke-Expression) command by accessing and indexing the string representation of method references. This obfuscation technique uses...
## Summary Alert correlation-like rule that parses the script_block_id from the message field so we can alert when PowerShell scripts trigger multiple PowerShell rules. Shorter description: Identifies PowerShell script blocks...