detection.wiki

Detection rules › Elastic

PowerShell Obfuscation via Negative Index String Reversal

Author
Elastic
Source
upstream

Detects PowerShell scripts that uses negative index ranges (for example, $var[-1..0]) to reverse strings or arrays and rebuild content at runtime. Attackers use index reversal to reconstruct hidden commands or payloads and evade static analysis and AMSI.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059 Command and Scripting Interpreter, T1059.001 Command and Scripting Interpreter: PowerShell
Defense EvasionT1027 Obfuscated Files or Information, T1027.010 Obfuscated Files or Information: Command Obfuscation, T1140 Deobfuscate/Decode Files or Information

Event coverage

ProviderEvent IDTitle
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Stages and Predicates

Stage 1: esql:from

Stage 2: esql:where

Stage 3: esql:eval

Stage 4: esql:where

Esql.script_block_length > 500

Stage 5: esql:eval

Stage 6: esql:eval

Stage 7: esql:keep

Stage 8: esql:where

Esql.script_block_pattern_count >= 1

Stage 9: esql:where

not powershell.file.script_block_text:"GENESIS-5654"

Stage 10: esql:where

(not file.name:* or <macro:>)

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

StageFieldKindExcluded values
1ScriptBlockTextmatchGENESIS-5654

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Esql.script_block_lengthgt
  • 500 corpus 6 (elastic 6)
Esql.script_block_pattern_countge
  • 1 corpus 6 (elastic 6)

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.