Potential PowerShell Obfuscation via Invalid Escape Sequences

Author: Elastic
Source: upstream

Detects PowerShell scripts with repeated invalid backtick escapes between word characters (letters, digits, underscore, or dash), splitting tokens while preserving execution. Attackers use this obfuscation to fragment keywords and evade pattern-based detection and AMSI.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059` Command and Scripting Interpreter, `T1059.001` Command and Scripting Interpreter: PowerShell
Defense Evasion	`T1027` Obfuscated Files or Information, `T1027.010` Obfuscated Files or Information: Command Obfuscation, `T1140` Deobfuscate/Decode Files or Information

Event coverage

Provider	Event ID	Title
PowerShell	4104	Creating Scriptblock text (MessageNumber of MessageTotal).

Stages and Predicates

Stage 1: `esql:from`

Stage 2: `esql:where`

powershell.file.script_block_text:"`"

Stage 3: `esql:eval`

Stage 4: `esql:eval`

Stage 5: `esql:keep`

Stage 6: `esql:where`

Esql.script_block_pattern_count >= 20

Stage 7: `esql:where`

(not file.name:* or <macro:>)

Stage 8: `esql:where`

not powershell.file.script_block_text:"$([char]0x1b)]633"

Stage 9: `esql:where`

(not file.directory:"C:\\\\Program Files\\\\MVPSI\\\\JAMS\\\\Agent\\\\Temp" or not file.directory:*)

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

Stage	Field	Kind	Excluded values
1	`ScriptBlockText`	match	`$([char]0x1b)]633`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Esql.script_block_pattern_count`	ge	`20`
`powershell.file.script_block_text`	wildcard	`

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Powershell Directory Enumeration [sigma] (cross-vendor) (adds 7 filters) (first-stage match only; downstream stages may differ)
Silence.EDA Detection [sigma] (cross-vendor) (adds 6 filters) (first-stage match only; downstream stages may differ)
Automated Collection Bookmarks Using Get-ChildItem PowerShell [sigma] (cross-vendor) (adds 6 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Via Use MSHTA - PowerShell [sigma] (cross-vendor) (adds 6 filters) (first-stage match only; downstream stages may differ)
Suspicious Invoke-Item From Mount-DiskImage [sigma] (cross-vendor) (adds 6 filters) (first-stage match only; downstream stages may differ)
Potential Persistence Via Security Descriptors - ScriptBlock [sigma] (cross-vendor) (adds 6 filters) (first-stage match only; downstream stages may differ)
Suspicious New-PSDrive to Admin Share [sigma] (cross-vendor) (adds 6 filters) (first-stage match only; downstream stages may differ)
WMIC Unquoted Services Path Lookup - PowerShell [sigma] (cross-vendor) (adds 6 filters) (first-stage match only; downstream stages may differ)
Windows Exfiltration Over C2 Via Invoke RestMethod [splunk] (cross-vendor) (adds 6 filters) (first-stage match only; downstream stages may differ)
Windows Gather Victim Host Information Camera [splunk] (cross-vendor) (adds 6 filters) (first-stage match only; downstream stages may differ)
Get-ADUser Enumeration Using UserAccountControl Flags [sigma] (cross-vendor) (adds 5 filters) (first-stage match only; downstream stages may differ)
DirectorySearcher Powershell Exploitation [sigma] (cross-vendor) (adds 5 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Via Use Rundll32 - PowerShell [sigma] (cross-vendor) (adds 5 filters) (first-stage match only; downstream stages may differ)
Suspicious PowerShell Invocations - Specific [sigma] (cross-vendor) (adds 5 filters) (first-stage match only; downstream stages may differ)
PowerShell WMI Win32_Product Install MSI [sigma] (cross-vendor) (adds 5 filters) (first-stage match only; downstream stages may differ)
Allow Inbound Traffic In Firewall Rule [splunk] (cross-vendor) (adds 5 filters) (first-stage match only; downstream stages may differ)
GetWmiObject DS User with PowerShell Script Block [splunk] (cross-vendor) (adds 5 filters) (first-stage match only; downstream stages may differ)
Remote Process Instantiation via WMI and PowerShell Script Block [splunk] (cross-vendor) (adds 5 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Powershell MsXml COM Object [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Code Executed Via Office Add-in XLL File [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
PowerShell Script With File Hostname Resolving Capabilities [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Detected Windows Software Discovery - PowerShell [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Powershell Store File In Alternate Data Stream [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Extracting Information with PowerShell [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Troubleshooting Pack Cmdlet Execution [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Replace Desktop Wallpaper by Powershell [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Veeam Backup Servers Credential Dumping Script Execution [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Potential WinAPI Calls Via PowerShell Scripts [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
AdsiSearcher Account Discovery [splunk] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
GetWmiObject Ds Computer with PowerShell Script Block [splunk] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
GetWmiObject Ds Group with PowerShell Script Block [splunk] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Remote System Discovery with Adsisearcher [splunk] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Windows Account Discovery for None Disable User Account [splunk] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Windows Linked Policies In ADSI Discovery [splunk] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell Disable HTTP Logging [splunk] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Windows Powershell Import Applocker Policy [splunk] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Windows Root Domain linked policies Discovery [splunk] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Powershell Add Name Resolution Policy Table Rule [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
AMSI Bypass Pattern Assembly GetType [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Potential Data Exfiltration Via Audio File [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Clear PowerShell History - PowerShell [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Registry-Free Process Scope COR_PROFILER [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
DMSA Service Account Created in Specific OUs - PowerShell [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Create Volume Shadow Copy with Powershell [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Disable-WindowsOptionalFeature Command PowerShell [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Potential Suspicious Windows Feature Enabled [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Suspicious FromBase64String Usage On Gzip Archive - Ps Script [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Suspicious Get-ADReplAccount [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
PowerShell ICMP Exfiltration [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Suspicious PowerShell Mailbox Export to Share - PS [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
PowerShell Script Change Permission Via Set-Acl - PsScript [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Suspicious IO.FileStream [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Suspicious TCP Tunnel Via PowerShell Script [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Remove Account From Domain Admin Group [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Suspicious SSL Connection [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Suspicious Start-Process PassThru [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Suspicious PowerShell WindowStyle Option [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Testing Usage of Uncommonly Used Port [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Abuse of Service Permissions to Hide Services Via Set-Service - PS [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Registry Modification Attempt Via VBScript - PowerShell [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Firewall Profile Disabled [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Powershell XML Execute Command [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Delete ShadowCopy With PowerShell [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Detect Copy of ShadowCopy with Script Block Logging [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Detect Empire with PowerShell Script Block Logging [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Disabled Kerberos Pre-Authentication Discovery With PowerView [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Domain Group Discovery with Adsisearcher [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Elevated Group Discovery with PowerView [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Get ADUser with PowerShell Script Block [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Get WMIObject Group Discovery with Script Block Logging [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
GetCurrent User with PowerShell Script Block [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
GetWmiObject User Account with PowerShell Script Block [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Interactive Session on Remote Endpoint with PowerShell [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Kerberos Pre-Authentication Flag Disabled with PowerShell [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Powershell Enable SMB1Protocol Feature [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Powershell Remote Services Add TrustedHost [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Powershell Remove Windows Defender Directory [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Powershell Using memory As Backing Store [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
PowerShell WebRequest Using Memory Stream [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Powershell Windows Defender Exclusion Commands [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Recon AVProduct Through Pwh or WMI [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Recon Using WMI Class [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Remote Process Instantiation via WinRM and PowerShell Script Block [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Account Discovery for Sam Account Name [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Account Discovery With NetUser PreauthNotRequire [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Archive Collected Data via Powershell [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Domain Account Discovery Via Get-NetComputer [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows ESX Admins Group Creation via PowerShell [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Exfiltration Over C2 Via Powershell UploadString [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Get-AdComputer Unconstrained Delegation Discovery [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Powershell Cryptography Namespace [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell Get CIMInstance Remote Computer [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Powershell History File Deletion [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell Invoke-RestMethod IP Information Collection [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell MSIX Package Installation [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows PowerView Constrained Delegation Discovery [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows PowerView SPN Discovery [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows PowerView Unconstrained Delegation Discovery [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Screen Capture Via Powershell [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
WMI Recon Running Process Or Services [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Access to Browser Login Data [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Potential Active Directory Enumeration Using AD Module - PsScript [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Disable Powershell Command History [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Enumerate Credentials from Windows Credential Manager With PowerShell [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Service Registry Permissions Weakness Check [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Active Directory Group Enumeration With Get-AdGroup [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Hotfix Enumeration [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Execute Invoke-command on Remote Host [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Live Memory Dump Using Powershell [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
DMSA Link Attributes Modified [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Potential Invoke-Mimikatz PowerShell Script [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Remote Session Creation [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Root Certificate Installed - PowerShell [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Set-Acl On Windows Folder - PsScript [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Potential PowerShell Obfuscation Using Character Join [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Suspicious GetTypeFromCLSID ShellExecute [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Suspicious Mount-DiskImage [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Suspicious Unblock-File [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Write-EventLog Usage [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Detect Certify With PowerShell Script Block Logging [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Detect Mimikatz With PowerShell Script Block Logging [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Exchange PowerShell Module Usage [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Get ADDefaultDomainPasswordPolicy with Powershell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Get ADUserResultantPasswordPolicy with Powershell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Get DomainPolicy with Powershell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Get-DomainTrust with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Get DomainUser with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Get-ForestTrust with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
GetAdComputer with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
GetAdGroup with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
GetDomainComputer with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
GetDomainController with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
GetDomainGroup with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
GetLocalUser with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
GetNetTcpconnection with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Mailsniper Invoke functions [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Powershell COM Hijacking InprocServer32 Modification [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Powershell Creating Thread Mutex [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Domain Enumeration [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Enable PowerShell Remoting [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Powershell Execute COM Object [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Powershell Fileless Process Injection via GetProcAddress [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Powershell Fileless Script Contains Base64 Encoded Content [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Powershell Get LocalGroup Discovery with Script Block Logging [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Invoke CIMMethod CIMSession [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Invoke WmiExec Usage [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Powershell Load Module in Meterpreter [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Loading DotNET into Memory via Reflection [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Powershell Processing Stream Of Data [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Script Block With URL Chain [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Start or Stop Service [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Remote Process Instantiation via DCOM and PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
ServicePrincipalNames Discovery with PowerShell [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Unloading AMSI via Reflection [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
User Discovery With Env Vars PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows ClipBoard Data via Get-ClipBoard [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows Enable PowerShell Web Access [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows File Share Discovery With Powerview [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows Find Domain Organizational Units with GetDomainOU [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows Find Interesting ACL with FindInterestingDomainAcl [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows Forest Discovery with GetForestDomain [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows Get Local Admin with FindLocalAdminAccess [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell Add Module to Global Assembly Cache [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell Export Certificate [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell Export PfxCertificate [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell IIS Components WebGlobalModule Usage [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell Invoke-Sqlcmd Execution [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows Powershell Logoff User via Quser [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell ScheduleTask [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell Script Block With Malicious String [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell WMI Win32 ScheduledJob [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerSploit GPP Discovery [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerView AD Access Control List Enumeration [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerView Kerberos Service Ticket Request [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
AADInternals PowerShell Cmdlets Execution - PsScript [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Add Windows Capability Via PowerShell Script [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell ADRecon Execution [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential AMSI Bypass Script Using NULL Bits [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Automated Collection Command PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Windows Screen Capture with CopyFromScreen [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Clearing Windows Console History [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell Create Scheduled Task [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell Install a DLL in System Directory [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell Create Local User [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell Detect Virtualization Environment [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Manipulation of User Computer or Group Security Principals Across AD [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential In-Memory Execution Using Reflection.Assembly [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential COM Objects Download Cradles Usage - PS Script [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
DSInternals Suspicious PowerShell Cmdlets - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Dump Credentials from Windows Credential Manager With PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Enable Windows Remote Management [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Disable of ETW Trace - Powershell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Certificate Exported Via PowerShell - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Active Directory Computers Enumeration With Get-AdComputer [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Security Software Discovery Via Powershell Script [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
HackTool - Rubeus Execution - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
HackTool - WinPwn Execution - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Import PowerShell Modules From Suspicious Directories [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell DNSExfiltration [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation CLIP+ Launcher - PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation STDIN+ Launcher - Powershell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation VAR+ Launcher - PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Via Stdin - Powershell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Via Use Clip - Powershell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell Keylogging [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell LocalAccount Manipulation [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Malicious PowerShell Commandlets - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Malicious PowerShell Keywords [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Modify Group Policy Settings - ScriptBlockLogging [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Malicious Nishang PowerShell Commandlets [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
NTFS Alternate Data Stream [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell Web Access Installation - PsScript [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerView PowerShell Cmdlets - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell Credential Prompt [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PSAsyncShell - Asynchronous TCP Reverse Shell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell PSAttack [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell Script With File Upload Capabilities [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell Sensitive File Discovery [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Change PowerShell Policies to an Insecure Level - PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell ShellCode [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Malicious ShellIntel PowerShell Commandlets [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
AD Groups Or Users Enumeration Using PowerShell - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious Eventlog Clear [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious PowerShell Download - Powershell Script [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell Execute Batch Script [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious PowerShell Get Current User [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious GPO Discovery With Get-GPO [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious Process Discovery With Get-Process [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell Get-Process LSASS in ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious Hyper-V Cmdlets [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious PowerShell Invocations - Generic [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Change User Agents with WebRequest [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential Keylogger Activity [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential Suspicious PowerShell Keywords [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious Get Local Groups Information - PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell Local Email Collection [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell Deleted Mounted Share [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious Connection to Remote Account [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Recon Information for Export with PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential PowerShell Obfuscation Using Alias Cmdlets [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious Get Information for SMB Share [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell Suspicious Win32_PnPEntity [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Zip A Folder With PowerShell For Staging In Temp - PowerShell Script [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
SyncAppvPublishingServer Execution to Bypass Powershell Restriction [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Tamper Windows Defender - ScriptBlockLogging [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell Timestomp [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential Persistence Via PowerShell User Profile Using Add-Content [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Usage Of Web Request Commands And Cmdlets - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Windows Defender Exclusions Added - PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Winlogon Helper DLL [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell WMI Persistence [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
WMImplant Hack Tool [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious X509Enrollment - Ps Script [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell 4104 Hunting [splunk] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)

Potential PowerShell Obfuscation via Invalid Escape Sequences

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: esql:from

Stage 2: esql:where

Stage 3: esql:eval

Stage 4: esql:eval

Stage 5: esql:keep

Stage 6: esql:where

Stage 7: esql:where

Stage 8: esql:where

Stage 9: esql:where