Detection rules › Elastic
Dynamic IEX Reconstruction via Method String Access
Detects PowerShell scripts that rebuilds IEX by converting method references to strings (for example, ''.IndexOf.ToString()) and extracting multiple indexed characters (for example, [n,n,n]). Attackers use method-string reconstruction to conceal dynamic execution and bypass static detections and AMSI.
MITRE ATT&CK coverage
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| PowerShell | 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Stages and Predicates
Stage 1: esql:from
Stage 2: esql:where
Stage 3: esql:eval
Stage 4: esql:where
Esql.script_block_length > 500Stage 5: esql:eval
Stage 6: esql:eval
Stage 7: esql:keep
Stage 8: esql:where
Esql.script_block_pattern_count >= 1Stage 9: esql:where
(not (file.directory:"C:\\\\\\\\Program Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\Maester\\\\\\\\1.1.0*" or file.directory:"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\Documents\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\Maester\\\\\\\\1.1.0*") or not file.directory:*)Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Esql.script_block_length | gt |
|
Esql.script_block_pattern_count | ge |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Powershell Directory Enumeration (adds 7 filters)
- Silence.EDA Detection (adds 6 filters)
- Automated Collection Bookmarks Using Get-ChildItem PowerShell (adds 6 filters)
- Invoke-Obfuscation Via Use MSHTA - PowerShell (adds 6 filters)
- Suspicious Invoke-Item From Mount-DiskImage (adds 6 filters)
- Potential Persistence Via Security Descriptors - ScriptBlock (adds 6 filters)
- Suspicious New-PSDrive to Admin Share (adds 6 filters)
- WMIC Unquoted Services Path Lookup - PowerShell (adds 6 filters)
- Windows Exfiltration Over C2 Via Invoke RestMethod (adds 6 filters)
- Windows Gather Victim Host Information Camera (adds 6 filters)
- Get-ADUser Enumeration Using UserAccountControl Flags (adds 5 filters)
- DirectorySearcher Powershell Exploitation (adds 5 filters)
- Invoke-Obfuscation Via Use Rundll32 - PowerShell (adds 5 filters)
- Suspicious PowerShell Invocations - Specific (adds 5 filters)
- PowerShell WMI Win32_Product Install MSI (adds 5 filters)
- Allow Inbound Traffic In Firewall Rule (adds 5 filters)
- GetWmiObject DS User with PowerShell Script Block (adds 5 filters)
- Remote Process Instantiation via WMI and PowerShell Script Block (adds 5 filters)
- Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell (adds 4 filters)
- Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell (adds 4 filters)
- Powershell MsXml COM Object (adds 4 filters)
- Code Executed Via Office Add-in XLL File (adds 4 filters)
- PowerShell Script With File Hostname Resolving Capabilities (adds 4 filters)
- Detected Windows Software Discovery - PowerShell (adds 4 filters)
- Powershell Store File In Alternate Data Stream (adds 4 filters)
- Extracting Information with PowerShell (adds 4 filters)
- Troubleshooting Pack Cmdlet Execution (adds 4 filters)
- Replace Desktop Wallpaper by Powershell (adds 4 filters)
- Veeam Backup Servers Credential Dumping Script Execution (adds 4 filters)
- Potential WinAPI Calls Via PowerShell Scripts (adds 4 filters)
- AdsiSearcher Account Discovery (adds 4 filters)
- GetWmiObject Ds Computer with PowerShell Script Block (adds 4 filters)
- GetWmiObject Ds Group with PowerShell Script Block (adds 4 filters)
- Remote System Discovery with Adsisearcher (adds 4 filters)
- Windows Account Discovery for None Disable User Account (adds 4 filters)
- Windows Linked Policies In ADSI Discovery (adds 4 filters)
- Windows PowerShell Disable HTTP Logging (adds 4 filters)
- Windows Powershell Import Applocker Policy (adds 4 filters)
- Windows Root Domain linked policies Discovery (adds 4 filters)
- Powershell Add Name Resolution Policy Table Rule (adds 3 filters)
- AMSI Bypass Pattern Assembly GetType (adds 3 filters)
- Potential Data Exfiltration Via Audio File (adds 3 filters)
- Clear PowerShell History - PowerShell (adds 3 filters)
- Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell (adds 3 filters)
- Registry-Free Process Scope COR_PROFILER (adds 3 filters)
- DMSA Service Account Created in Specific OUs - PowerShell (adds 3 filters)
- Create Volume Shadow Copy with Powershell (adds 3 filters)
- Disable-WindowsOptionalFeature Command PowerShell (adds 3 filters)
- Potential Suspicious Windows Feature Enabled (adds 3 filters)
- Suspicious FromBase64String Usage On Gzip Archive - Ps Script (adds 3 filters)
- Suspicious Get-ADReplAccount (adds 3 filters)
- PowerShell ICMP Exfiltration (adds 3 filters)
- Suspicious PowerShell Mailbox Export to Share - PS (adds 3 filters)
- PowerShell Script Change Permission Via Set-Acl - PsScript (adds 3 filters)
- Suspicious IO.FileStream (adds 3 filters)
- Suspicious TCP Tunnel Via PowerShell Script (adds 3 filters)
- Remove Account From Domain Admin Group (adds 3 filters)
- Suspicious SSL Connection (adds 3 filters)
- Suspicious Start-Process PassThru (adds 3 filters)
- Suspicious PowerShell WindowStyle Option (adds 3 filters)
- Testing Usage of Uncommonly Used Port (adds 3 filters)
- User Discovery And Export Via Get-ADUser Cmdlet - PowerShell (adds 3 filters)
- Abuse of Service Permissions to Hide Services Via Set-Service - PS (adds 3 filters)
- Registry Modification Attempt Via VBScript - PowerShell (adds 3 filters)
- Windows Firewall Profile Disabled (adds 3 filters)
- Powershell XML Execute Command (adds 3 filters)
- Delete ShadowCopy With PowerShell (adds 3 filters)
- Detect Copy of ShadowCopy with Script Block Logging (adds 3 filters)
- Detect Empire with PowerShell Script Block Logging (adds 3 filters)
- Disabled Kerberos Pre-Authentication Discovery With Get-ADUser (adds 3 filters)
- Disabled Kerberos Pre-Authentication Discovery With PowerView (adds 3 filters)
- Domain Group Discovery with Adsisearcher (adds 3 filters)
- Elevated Group Discovery with PowerView (adds 3 filters)
- Get ADUser with PowerShell Script Block (adds 3 filters)
- Get WMIObject Group Discovery with Script Block Logging (adds 3 filters)
- GetCurrent User with PowerShell Script Block (adds 3 filters)
- GetWmiObject User Account with PowerShell Script Block (adds 3 filters)
- Interactive Session on Remote Endpoint with PowerShell (adds 3 filters)
- Kerberos Pre-Authentication Flag Disabled with PowerShell (adds 3 filters)
- Powershell Enable SMB1Protocol Feature (adds 3 filters)
- Powershell Remote Services Add TrustedHost (adds 3 filters)
- Powershell Remove Windows Defender Directory (adds 3 filters)
- Powershell Using memory As Backing Store (adds 3 filters)
- PowerShell WebRequest Using Memory Stream (adds 3 filters)
- Powershell Windows Defender Exclusion Commands (adds 3 filters)
- Recon AVProduct Through Pwh or WMI (adds 3 filters)
- Recon Using WMI Class (adds 3 filters)
- Remote Process Instantiation via WinRM and PowerShell Script Block (adds 3 filters)
- Windows Account Discovery for Sam Account Name (adds 3 filters)
- Windows Account Discovery With NetUser PreauthNotRequire (adds 3 filters)
- Windows Archive Collected Data via Powershell (adds 3 filters)
- Windows Domain Account Discovery Via Get-NetComputer (adds 3 filters)
- Windows ESX Admins Group Creation via PowerShell (adds 3 filters)
- Windows Exfiltration Over C2 Via Powershell UploadString (adds 3 filters)
- Windows Get-AdComputer Unconstrained Delegation Discovery (adds 3 filters)
- Windows Powershell Cryptography Namespace (adds 3 filters)
- Windows PowerShell Get CIMInstance Remote Computer (adds 3 filters)
- Windows Powershell History File Deletion (adds 3 filters)
- Windows PowerShell Invoke-RestMethod IP Information Collection (adds 3 filters)
- Windows PowerShell MSIX Package Installation (adds 3 filters)
- Windows PowerView Constrained Delegation Discovery (adds 3 filters)
- Windows PowerView SPN Discovery (adds 3 filters)
- Windows PowerView Unconstrained Delegation Discovery (adds 3 filters)
- Windows Screen Capture Via Powershell (adds 3 filters)
- WMI Recon Running Process Or Services (adds 3 filters)
- Access to Browser Login Data (adds 2 filters)
- Potential Active Directory Enumeration Using AD Module - PsScript (adds 2 filters)
- Disable Powershell Command History (adds 2 filters)
- Enumerate Credentials from Windows Credential Manager With PowerShell (adds 2 filters)
- Service Registry Permissions Weakness Check (adds 2 filters)
- Active Directory Group Enumeration With Get-AdGroup (adds 2 filters)
- PowerShell Hotfix Enumeration (adds 2 filters)
- Execute Invoke-command on Remote Host (adds 2 filters)
- Live Memory Dump Using Powershell (adds 2 filters)
- DMSA Link Attributes Modified (adds 2 filters)
- Potential Invoke-Mimikatz PowerShell Script (adds 2 filters)
- PowerShell Remote Session Creation (adds 2 filters)
- Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock (adds 2 filters)
- Root Certificate Installed - PowerShell (adds 2 filters)
- PowerShell Set-Acl On Windows Folder - PsScript (adds 2 filters)
- Potential PowerShell Obfuscation Using Character Join (adds 2 filters)
- Suspicious GetTypeFromCLSID ShellExecute (adds 2 filters)
- Suspicious Mount-DiskImage (adds 2 filters)
- Suspicious Unblock-File (adds 2 filters)
- PowerShell Write-EventLog Usage (adds 2 filters)
- Detect Certify With PowerShell Script Block Logging (adds 2 filters)
- Detect Mimikatz With PowerShell Script Block Logging (adds 2 filters)
- Exchange PowerShell Module Usage (adds 2 filters)
- Get ADDefaultDomainPasswordPolicy with Powershell Script Block (adds 2 filters)
- Get ADUserResultantPasswordPolicy with Powershell Script Block (adds 2 filters)
- Get DomainPolicy with Powershell Script Block (adds 2 filters)
- Get-DomainTrust with PowerShell Script Block (adds 2 filters)
- Get DomainUser with PowerShell Script Block (adds 2 filters)
- Get-ForestTrust with PowerShell Script Block (adds 2 filters)
- GetAdComputer with PowerShell Script Block (adds 2 filters)
- GetAdGroup with PowerShell Script Block (adds 2 filters)
- GetDomainComputer with PowerShell Script Block (adds 2 filters)
- GetDomainController with PowerShell Script Block (adds 2 filters)
- GetDomainGroup with PowerShell Script Block (adds 2 filters)
- GetLocalUser with PowerShell Script Block (adds 2 filters)
- GetNetTcpconnection with PowerShell Script Block (adds 2 filters)
- Mailsniper Invoke functions (adds 2 filters)
- Powershell COM Hijacking InprocServer32 Modification (adds 2 filters)
- Powershell Creating Thread Mutex (adds 2 filters)
- PowerShell Domain Enumeration (adds 2 filters)
- PowerShell Enable PowerShell Remoting (adds 2 filters)
- Powershell Execute COM Object (adds 2 filters)
- Powershell Fileless Process Injection via GetProcAddress (adds 2 filters)
- Powershell Fileless Script Contains Base64 Encoded Content (adds 2 filters)
- Powershell Get LocalGroup Discovery with Script Block Logging (adds 2 filters)
- PowerShell Invoke CIMMethod CIMSession (adds 2 filters)
- PowerShell Invoke WmiExec Usage (adds 2 filters)
- Powershell Load Module in Meterpreter (adds 2 filters)
- PowerShell Loading DotNET into Memory via Reflection (adds 2 filters)
- Powershell Processing Stream Of Data (adds 2 filters)
- PowerShell Script Block With URL Chain (adds 2 filters)
- PowerShell Start or Stop Service (adds 2 filters)
- Remote Process Instantiation via DCOM and PowerShell Script Block (adds 2 filters)
- ServicePrincipalNames Discovery with PowerShell (adds 2 filters)
- Unloading AMSI via Reflection (adds 2 filters)
- User Discovery With Env Vars PowerShell Script Block (adds 2 filters)
- Windows ClipBoard Data via Get-ClipBoard (adds 2 filters)
- Windows Enable PowerShell Web Access (adds 2 filters)
- Windows File Share Discovery With Powerview (adds 2 filters)
- Windows Find Domain Organizational Units with GetDomainOU (adds 2 filters)
- Windows Find Interesting ACL with FindInterestingDomainAcl (adds 2 filters)
- Windows Forest Discovery with GetForestDomain (adds 2 filters)
- Windows Get Local Admin with FindLocalAdminAccess (adds 2 filters)
- Windows PowerShell Add Module to Global Assembly Cache (adds 2 filters)
- Windows PowerShell Export Certificate (adds 2 filters)
- Windows PowerShell Export PfxCertificate (adds 2 filters)
- Windows PowerShell IIS Components WebGlobalModule Usage (adds 2 filters)
- Windows PowerShell Invoke-Sqlcmd Execution (adds 2 filters)
- Windows Powershell Logoff User via Quser (adds 2 filters)
- Windows PowerShell ScheduleTask (adds 2 filters)
- Windows PowerShell Script Block With Malicious String (adds 2 filters)
- Windows PowerShell WMI Win32 ScheduledJob (adds 2 filters)
- Windows PowerSploit GPP Discovery (adds 2 filters)
- Windows PowerView AD Access Control List Enumeration (adds 2 filters)
- Windows PowerView Kerberos Service Ticket Request (adds 2 filters)
- AADInternals PowerShell Cmdlets Execution - PsScript (adds 1 filter)
- Add Windows Capability Via PowerShell Script (adds 1 filter)
- PowerShell ADRecon Execution (adds 1 filter)
- Potential AMSI Bypass Script Using NULL Bits (adds 1 filter)
- Automated Collection Command PowerShell (adds 1 filter)
- Windows Screen Capture with CopyFromScreen (adds 1 filter)
- Clearing Windows Console History (adds 1 filter)
- Powershell Create Scheduled Task (adds 1 filter)
- Powershell Install a DLL in System Directory (adds 1 filter)
- PowerShell Create Local User (adds 1 filter)
- Powershell Detect Virtualization Environment (adds 1 filter)
- Manipulation of User Computer or Group Security Principals Across AD (adds 1 filter)
- Potential In-Memory Execution Using Reflection.Assembly (adds 1 filter)
- Potential COM Objects Download Cradles Usage - PS Script (adds 1 filter)
- DSInternals Suspicious PowerShell Cmdlets - ScriptBlock (adds 1 filter)
- Dump Credentials from Windows Credential Manager With PowerShell (adds 1 filter)
- Enable Windows Remote Management (adds 1 filter)
- Disable of ETW Trace - Powershell (adds 1 filter)
- Certificate Exported Via PowerShell - ScriptBlock (adds 1 filter)
- Active Directory Computers Enumeration With Get-AdComputer (adds 1 filter)
- Security Software Discovery Via Powershell Script (adds 1 filter)
- HackTool - Rubeus Execution - ScriptBlock (adds 1 filter)
- HackTool - WinPwn Execution - ScriptBlock (adds 1 filter)
- Import PowerShell Modules From Suspicious Directories (adds 1 filter)
- Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript (adds 1 filter)
- Powershell DNSExfiltration (adds 1 filter)
- Invoke-Obfuscation CLIP+ Launcher - PowerShell (adds 1 filter)
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell (adds 1 filter)
- Invoke-Obfuscation STDIN+ Launcher - Powershell (adds 1 filter)
- Invoke-Obfuscation VAR+ Launcher - PowerShell (adds 1 filter)
- Invoke-Obfuscation Via Stdin - Powershell (adds 1 filter)
- Invoke-Obfuscation Via Use Clip - Powershell (adds 1 filter)
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell (adds 1 filter)
- Powershell Keylogging (adds 1 filter)
- Powershell LocalAccount Manipulation (adds 1 filter)
- Malicious PowerShell Commandlets - ScriptBlock (adds 1 filter)
- Malicious PowerShell Keywords (adds 1 filter)
- Modify Group Policy Settings - ScriptBlockLogging (adds 1 filter)
- Malicious Nishang PowerShell Commandlets (adds 1 filter)
- NTFS Alternate Data Stream (adds 1 filter)
- Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock (adds 1 filter)
- Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock (adds 1 filter)
- PowerShell Web Access Installation - PsScript (adds 1 filter)
- PowerView PowerShell Cmdlets - ScriptBlock (adds 1 filter)
- PowerShell Credential Prompt (adds 1 filter)
- PSAsyncShell - Asynchronous TCP Reverse Shell (adds 1 filter)
- PowerShell PSAttack (adds 1 filter)
- Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock (adds 1 filter)
- PowerShell Script With File Upload Capabilities (adds 1 filter)
- Powershell Sensitive File Discovery (adds 1 filter)
- Change PowerShell Policies to an Insecure Level - PowerShell (adds 1 filter)
- PowerShell ShellCode (adds 1 filter)
- Malicious ShellIntel PowerShell Commandlets (adds 1 filter)
- AD Groups Or Users Enumeration Using PowerShell - ScriptBlock (adds 1 filter)
- Suspicious Eventlog Clear (adds 1 filter)
- Suspicious PowerShell Download - Powershell Script (adds 1 filter)
- Powershell Execute Batch Script (adds 1 filter)
- Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy (adds 1 filter)
- Suspicious PowerShell Get Current User (adds 1 filter)
- Suspicious GPO Discovery With Get-GPO (adds 1 filter)
- Suspicious Process Discovery With Get-Process (adds 1 filter)
- PowerShell Get-Process LSASS in ScriptBlock (adds 1 filter)
- Suspicious Hyper-V Cmdlets (adds 1 filter)
- Suspicious PowerShell Invocations - Generic (adds 1 filter)
- Change User Agents with WebRequest (adds 1 filter)
- Potential Keylogger Activity (adds 1 filter)
- Potential Suspicious PowerShell Keywords (adds 1 filter)
- Suspicious Get Local Groups Information - PowerShell (adds 1 filter)
- Powershell Local Email Collection (adds 1 filter)
- PowerShell Deleted Mounted Share (adds 1 filter)
- Suspicious Connection to Remote Account (adds 1 filter)
- Recon Information for Export with PowerShell (adds 1 filter)
- Suspicious Service DACL Modification Via Set-Service Cmdlet - PS (adds 1 filter)
- Potential PowerShell Obfuscation Using Alias Cmdlets (adds 1 filter)
- Suspicious Get Information for SMB Share (adds 1 filter)
- Powershell Suspicious Win32_PnPEntity (adds 1 filter)
- Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script (adds 1 filter)
- Zip A Folder With PowerShell For Staging In Temp - PowerShell Script (adds 1 filter)
- SyncAppvPublishingServer Execution to Bypass Powershell Restriction (adds 1 filter)
- Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging (adds 1 filter)
- Tamper Windows Defender - ScriptBlockLogging (adds 1 filter)
- Powershell Timestomp (adds 1 filter)
- Potential Persistence Via PowerShell User Profile Using Add-Content (adds 1 filter)
- Usage Of Web Request Commands And Cmdlets - ScriptBlock (adds 1 filter)
- Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript (adds 1 filter)
- Windows Defender Exclusions Added - PowerShell (adds 1 filter)
- Winlogon Helper DLL (adds 1 filter)
- Powershell WMI Persistence (adds 1 filter)
- WMImplant Hack Tool (adds 1 filter)
- Suspicious X509Enrollment - Ps Script (adds 1 filter)
- PowerShell 4104 Hunting (adds 1 filter)