detection.wiki

Detection rules › Elastic

Potential Dynamic IEX Reconstruction via Environment Variables

Author
Elastic
Source
upstream

Detects PowerShell scripts that reconstructs IEX (Invoke-Expression) by indexing environment variable strings (for example, $env:VAR[1,2,3]) or related .name[...] slices and joining characters at runtime. Attackers use environment-variable slicing to hide dynamic execution and evade keyword-based detections and AMSI.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059 Command and Scripting Interpreter, T1059.001 Command and Scripting Interpreter: PowerShell
Defense EvasionT1027 Obfuscated Files or Information, T1027.010 Obfuscated Files or Information: Command Obfuscation, T1140 Deobfuscate/Decode Files or Information

Event coverage

ProviderEvent IDTitle
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Stages and Predicates

Stage 1: esql:from

Stage 2: esql:where

Stage 3: esql:eval

Stage 4: esql:where

Esql.script_block_length > 500

Stage 5: esql:eval

Stage 6: esql:eval

Stage 7: esql:keep

Stage 8: esql:where

Esql.script_block_pattern_count >= 1

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Esql.script_block_lengthgt
  • 500 corpus 6 (elastic 6)
Esql.script_block_pattern_countge
  • 1 corpus 6 (elastic 6)

Neighbors

Equivalent rules

1 other rule has the same matching logic as this one. Useful for cross-vendor comparison or picking the variant your stack supports. See eq_0001.

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.