Potential PowerShell Obfuscation via String Reordering

Author: Elastic
Source: upstream

Detects PowerShell scripts that uses format placeholders like "{0}{1}" with the -f operator or ::Format to reorder strings at runtime. Attackers use format-based reconstruction to hide commands or payload strings and evade static analysis and AMSI.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059` Command and Scripting Interpreter, `T1059.001` Command and Scripting Interpreter: PowerShell
Defense Evasion	`T1027` Obfuscated Files or Information, `T1027.010` Obfuscated Files or Information: Command Obfuscation, `T1140` Deobfuscate/Decode Files or Information

Event coverage

Provider	Event ID	Title
PowerShell	4104	Creating Scriptblock text (MessageNumber of MessageTotal).

Stages and Predicates

Stage 1: `esql:from`

Stage 2: `esql:where`

powershell.file.script_block_text:"{0}"

Stage 3: `esql:eval`

Stage 4: `esql:where`

Esql.script_block_length > 500

Stage 5: `esql:eval`

Stage 6: `esql:eval`

Stage 7: `esql:keep`

Stage 8: `esql:where`

Esql.script_block_pattern_count >= 5

Stage 9: `esql:where`

(not file.directory:"C:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\icinga-powershell-framework\\\\cache" or not file.directory:*)

Stage 10: `esql:where`

not (powershell.file.script_block_text:"$s.BranchBehindStatusSymbol.Text" and powershell.file.script_block_text:"GitBranchStatus")

Stage 11: `esql:where`

not ((powershell.file.script_block_text:"$local:Bypassed" or powershell.file.script_block_text:"origPSExecutionPolicyPreference") and (powershell.file.script_block_text:":::::\\\\\\\\windows\\\\\\\\sentinel" or powershell.file.script_block_text:"sentinelbreakpoints"))

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

Stage	Field	Kind	Excluded values
1	`ScriptBlockText`	match	`$s.BranchBehindStatusSymbol.Text`
2	`ScriptBlockText`	match	`GitBranchStatus`
1	`ScriptBlockText`	match	`$local:Bypassed`
2	`ScriptBlockText`	match	`origPSExecutionPolicyPreference`
3	`ScriptBlockText`	match	`:::::\\\\windows\\\\sentinel`
4	`ScriptBlockText`	match	`sentinelbreakpoints`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Esql.script_block_length`	gt	`500` corpus 6 (elastic 6)
`Esql.script_block_pattern_count`	ge	`5`
`powershell.file.script_block_text`	wildcard	`{0}`

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Powershell Directory Enumeration [sigma] (cross-vendor) (adds 7 filters) (first-stage match only; downstream stages may differ)
Silence.EDA Detection [sigma] (cross-vendor) (adds 6 filters) (first-stage match only; downstream stages may differ)
Automated Collection Bookmarks Using Get-ChildItem PowerShell [sigma] (cross-vendor) (adds 6 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Via Use MSHTA - PowerShell [sigma] (cross-vendor) (adds 6 filters) (first-stage match only; downstream stages may differ)
Suspicious Invoke-Item From Mount-DiskImage [sigma] (cross-vendor) (adds 6 filters) (first-stage match only; downstream stages may differ)
Potential Persistence Via Security Descriptors - ScriptBlock [sigma] (cross-vendor) (adds 6 filters) (first-stage match only; downstream stages may differ)
Suspicious New-PSDrive to Admin Share [sigma] (cross-vendor) (adds 6 filters) (first-stage match only; downstream stages may differ)
WMIC Unquoted Services Path Lookup - PowerShell [sigma] (cross-vendor) (adds 6 filters) (first-stage match only; downstream stages may differ)
Windows Exfiltration Over C2 Via Invoke RestMethod [splunk] (cross-vendor) (adds 6 filters) (first-stage match only; downstream stages may differ)
Windows Gather Victim Host Information Camera [splunk] (cross-vendor) (adds 6 filters) (first-stage match only; downstream stages may differ)
Get-ADUser Enumeration Using UserAccountControl Flags [sigma] (cross-vendor) (adds 5 filters) (first-stage match only; downstream stages may differ)
DirectorySearcher Powershell Exploitation [sigma] (cross-vendor) (adds 5 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Via Use Rundll32 - PowerShell [sigma] (cross-vendor) (adds 5 filters) (first-stage match only; downstream stages may differ)
Suspicious PowerShell Invocations - Specific [sigma] (cross-vendor) (adds 5 filters) (first-stage match only; downstream stages may differ)
PowerShell WMI Win32_Product Install MSI [sigma] (cross-vendor) (adds 5 filters) (first-stage match only; downstream stages may differ)
Allow Inbound Traffic In Firewall Rule [splunk] (cross-vendor) (adds 5 filters) (first-stage match only; downstream stages may differ)
GetWmiObject DS User with PowerShell Script Block [splunk] (cross-vendor) (adds 5 filters) (first-stage match only; downstream stages may differ)
Remote Process Instantiation via WMI and PowerShell Script Block [splunk] (cross-vendor) (adds 5 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Powershell MsXml COM Object [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Code Executed Via Office Add-in XLL File [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
PowerShell Script With File Hostname Resolving Capabilities [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Detected Windows Software Discovery - PowerShell [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Powershell Store File In Alternate Data Stream [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Extracting Information with PowerShell [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Troubleshooting Pack Cmdlet Execution [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Replace Desktop Wallpaper by Powershell [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Veeam Backup Servers Credential Dumping Script Execution [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Potential WinAPI Calls Via PowerShell Scripts [sigma] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
AdsiSearcher Account Discovery [splunk] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
GetWmiObject Ds Computer with PowerShell Script Block [splunk] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
GetWmiObject Ds Group with PowerShell Script Block [splunk] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Remote System Discovery with Adsisearcher [splunk] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Windows Account Discovery for None Disable User Account [splunk] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Windows Linked Policies In ADSI Discovery [splunk] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell Disable HTTP Logging [splunk] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Windows Powershell Import Applocker Policy [splunk] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Windows Root Domain linked policies Discovery [splunk] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Powershell Add Name Resolution Policy Table Rule [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
AMSI Bypass Pattern Assembly GetType [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Potential Data Exfiltration Via Audio File [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Clear PowerShell History - PowerShell [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Registry-Free Process Scope COR_PROFILER [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
DMSA Service Account Created in Specific OUs - PowerShell [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Create Volume Shadow Copy with Powershell [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Disable-WindowsOptionalFeature Command PowerShell [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Potential Suspicious Windows Feature Enabled [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Suspicious FromBase64String Usage On Gzip Archive - Ps Script [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Suspicious Get-ADReplAccount [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
PowerShell ICMP Exfiltration [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Suspicious PowerShell Mailbox Export to Share - PS [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
PowerShell Script Change Permission Via Set-Acl - PsScript [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Suspicious IO.FileStream [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Suspicious TCP Tunnel Via PowerShell Script [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Remove Account From Domain Admin Group [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Suspicious SSL Connection [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Suspicious Start-Process PassThru [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Suspicious PowerShell WindowStyle Option [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Testing Usage of Uncommonly Used Port [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Abuse of Service Permissions to Hide Services Via Set-Service - PS [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Registry Modification Attempt Via VBScript - PowerShell [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Firewall Profile Disabled [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Powershell XML Execute Command [sigma] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Delete ShadowCopy With PowerShell [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Detect Copy of ShadowCopy with Script Block Logging [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Detect Empire with PowerShell Script Block Logging [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Disabled Kerberos Pre-Authentication Discovery With PowerView [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Domain Group Discovery with Adsisearcher [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Elevated Group Discovery with PowerView [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Get ADUser with PowerShell Script Block [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Get WMIObject Group Discovery with Script Block Logging [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
GetCurrent User with PowerShell Script Block [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
GetWmiObject User Account with PowerShell Script Block [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Interactive Session on Remote Endpoint with PowerShell [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Kerberos Pre-Authentication Flag Disabled with PowerShell [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Powershell Enable SMB1Protocol Feature [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Powershell Remote Services Add TrustedHost [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Powershell Remove Windows Defender Directory [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Powershell Using memory As Backing Store [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
PowerShell WebRequest Using Memory Stream [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Powershell Windows Defender Exclusion Commands [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Recon AVProduct Through Pwh or WMI [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Recon Using WMI Class [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Remote Process Instantiation via WinRM and PowerShell Script Block [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Account Discovery for Sam Account Name [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Account Discovery With NetUser PreauthNotRequire [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Archive Collected Data via Powershell [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Domain Account Discovery Via Get-NetComputer [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows ESX Admins Group Creation via PowerShell [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Exfiltration Over C2 Via Powershell UploadString [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Get-AdComputer Unconstrained Delegation Discovery [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Powershell Cryptography Namespace [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell Get CIMInstance Remote Computer [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Powershell History File Deletion [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell Invoke-RestMethod IP Information Collection [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell MSIX Package Installation [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows PowerView Constrained Delegation Discovery [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows PowerView SPN Discovery [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows PowerView Unconstrained Delegation Discovery [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Screen Capture Via Powershell [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
WMI Recon Running Process Or Services [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Access to Browser Login Data [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Potential Active Directory Enumeration Using AD Module - PsScript [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Disable Powershell Command History [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Enumerate Credentials from Windows Credential Manager With PowerShell [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Service Registry Permissions Weakness Check [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Active Directory Group Enumeration With Get-AdGroup [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Hotfix Enumeration [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Execute Invoke-command on Remote Host [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Live Memory Dump Using Powershell [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
DMSA Link Attributes Modified [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Potential Invoke-Mimikatz PowerShell Script [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Remote Session Creation [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Root Certificate Installed - PowerShell [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Set-Acl On Windows Folder - PsScript [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Potential PowerShell Obfuscation Using Character Join [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Suspicious GetTypeFromCLSID ShellExecute [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Suspicious Mount-DiskImage [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Suspicious Unblock-File [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Write-EventLog Usage [sigma] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Detect Certify With PowerShell Script Block Logging [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Detect Mimikatz With PowerShell Script Block Logging [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Exchange PowerShell Module Usage [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Get ADDefaultDomainPasswordPolicy with Powershell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Get ADUserResultantPasswordPolicy with Powershell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Get DomainPolicy with Powershell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Get-DomainTrust with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Get DomainUser with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Get-ForestTrust with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
GetAdComputer with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
GetAdGroup with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
GetDomainComputer with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
GetDomainController with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
GetDomainGroup with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
GetLocalUser with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
GetNetTcpconnection with PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Mailsniper Invoke functions [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Powershell COM Hijacking InprocServer32 Modification [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Powershell Creating Thread Mutex [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Domain Enumeration [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Enable PowerShell Remoting [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Powershell Execute COM Object [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Powershell Fileless Process Injection via GetProcAddress [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Powershell Fileless Script Contains Base64 Encoded Content [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Powershell Get LocalGroup Discovery with Script Block Logging [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Invoke CIMMethod CIMSession [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Invoke WmiExec Usage [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Powershell Load Module in Meterpreter [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Loading DotNET into Memory via Reflection [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Powershell Processing Stream Of Data [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Script Block With URL Chain [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
PowerShell Start or Stop Service [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Remote Process Instantiation via DCOM and PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
ServicePrincipalNames Discovery with PowerShell [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Unloading AMSI via Reflection [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
User Discovery With Env Vars PowerShell Script Block [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows ClipBoard Data via Get-ClipBoard [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows Enable PowerShell Web Access [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows File Share Discovery With Powerview [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows Find Domain Organizational Units with GetDomainOU [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows Find Interesting ACL with FindInterestingDomainAcl [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows Forest Discovery with GetForestDomain [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows Get Local Admin with FindLocalAdminAccess [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell Add Module to Global Assembly Cache [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell Export Certificate [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell Export PfxCertificate [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell IIS Components WebGlobalModule Usage [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell Invoke-Sqlcmd Execution [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows Powershell Logoff User via Quser [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell ScheduleTask [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell Script Block With Malicious String [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerShell WMI Win32 ScheduledJob [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerSploit GPP Discovery [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerView AD Access Control List Enumeration [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows PowerView Kerberos Service Ticket Request [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
AADInternals PowerShell Cmdlets Execution - PsScript [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Add Windows Capability Via PowerShell Script [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell ADRecon Execution [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential AMSI Bypass Script Using NULL Bits [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Automated Collection Command PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Windows Screen Capture with CopyFromScreen [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Clearing Windows Console History [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell Create Scheduled Task [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell Install a DLL in System Directory [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell Create Local User [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell Detect Virtualization Environment [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Manipulation of User Computer or Group Security Principals Across AD [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential In-Memory Execution Using Reflection.Assembly [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential COM Objects Download Cradles Usage - PS Script [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
DSInternals Suspicious PowerShell Cmdlets - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Dump Credentials from Windows Credential Manager With PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Enable Windows Remote Management [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Disable of ETW Trace - Powershell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Certificate Exported Via PowerShell - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Active Directory Computers Enumeration With Get-AdComputer [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Security Software Discovery Via Powershell Script [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
HackTool - Rubeus Execution - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
HackTool - WinPwn Execution - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Import PowerShell Modules From Suspicious Directories [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell DNSExfiltration [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation CLIP+ Launcher - PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation STDIN+ Launcher - Powershell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation VAR+ Launcher - PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Via Stdin - Powershell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Via Use Clip - Powershell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell Keylogging [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell LocalAccount Manipulation [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Malicious PowerShell Commandlets - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Malicious PowerShell Keywords [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Modify Group Policy Settings - ScriptBlockLogging [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Malicious Nishang PowerShell Commandlets [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
NTFS Alternate Data Stream [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell Web Access Installation - PsScript [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerView PowerShell Cmdlets - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell Credential Prompt [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PSAsyncShell - Asynchronous TCP Reverse Shell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell PSAttack [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell Script With File Upload Capabilities [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell Sensitive File Discovery [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Change PowerShell Policies to an Insecure Level - PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell ShellCode [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Malicious ShellIntel PowerShell Commandlets [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
AD Groups Or Users Enumeration Using PowerShell - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious Eventlog Clear [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious PowerShell Download - Powershell Script [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell Execute Batch Script [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious PowerShell Get Current User [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious GPO Discovery With Get-GPO [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious Process Discovery With Get-Process [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell Get-Process LSASS in ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious Hyper-V Cmdlets [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious PowerShell Invocations - Generic [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Change User Agents with WebRequest [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential Keylogger Activity [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential Suspicious PowerShell Keywords [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious Get Local Groups Information - PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell Local Email Collection [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell Deleted Mounted Share [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious Connection to Remote Account [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Recon Information for Export with PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential PowerShell Obfuscation Using Alias Cmdlets [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious Get Information for SMB Share [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell Suspicious Win32_PnPEntity [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Zip A Folder With PowerShell For Staging In Temp - PowerShell Script [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
SyncAppvPublishingServer Execution to Bypass Powershell Restriction [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Tamper Windows Defender - ScriptBlockLogging [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell Timestomp [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potential Persistence Via PowerShell User Profile Using Add-Content [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Usage Of Web Request Commands And Cmdlets - ScriptBlock [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Windows Defender Exclusions Added - PowerShell [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Winlogon Helper DLL [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Powershell WMI Persistence [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
WMImplant Hack Tool [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious X509Enrollment - Ps Script [sigma] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell 4104 Hunting [splunk] (cross-vendor) (adds 1 filter) (first-stage match only; downstream stages may differ)

Potential PowerShell Obfuscation via String Reordering

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: esql:from

Stage 2: esql:where

Stage 3: esql:eval

Stage 4: esql:where

Stage 5: esql:eval

Stage 6: esql:eval

Stage 7: esql:keep

Stage 8: esql:where

Stage 9: esql:where

Stage 10: esql:where

Stage 11: esql:where