eq_0001 — 2 rules with the same canonical form

Vendors: elastic (2). Stage count: 3. Correlation shape: single_event.

Members

Elastic Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion events 4104
Elastic Potential Dynamic IEX Reconstruction via Environment Variables events 4104

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059` Command and Scripting Interpreter, `T1059.001` Command and Scripting Interpreter: PowerShell
Defense Evasion	`T1027` Obfuscated Files or Information, `T1027.010` Obfuscated Files or Information: Command Obfuscation, `T1140` Deobfuscate/Decode Files or Information

Stages and predicates (per member)

Each member's stage rendered in its own native syntax (verbatim source where the IR captures it; falls back to the synthesised native form for the few stage types whose source segments aren't recoverable).

Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion — stage 1 `esql:from`

Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion — stage 2 `esql:where`

Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion — stage 3 `esql:eval`

Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion — stage 4 `esql:where`

Esql.script_block_length > 500

Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion — stage 5 `esql:eval`

Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion — stage 6 `esql:eval`

Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion — stage 7 `esql:keep`

Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion — stage 8 `esql:where`

Esql.script_block_pattern_count >= 1

Potential Dynamic IEX Reconstruction via Environment Variables — stage 9 `esql:from`

Potential Dynamic IEX Reconstruction via Environment Variables — stage 10 `esql:where`

Potential Dynamic IEX Reconstruction via Environment Variables — stage 11 `esql:eval`

Potential Dynamic IEX Reconstruction via Environment Variables — stage 12 `esql:where`

Esql.script_block_length > 500

Potential Dynamic IEX Reconstruction via Environment Variables — stage 13 `esql:eval`

Potential Dynamic IEX Reconstruction via Environment Variables — stage 14 `esql:eval`

Potential Dynamic IEX Reconstruction via Environment Variables — stage 15 `esql:keep`

Potential Dynamic IEX Reconstruction via Environment Variables — stage 16 `esql:where`

Esql.script_block_pattern_count >= 1

Indicators (across all members)

Field	Kind	Value	Members	Corpus
`Esql.script_block_length`	gt	`500`	2	6
`Esql.script_block_pattern_count`	ge	`1`	2	6

eq_0001 — 2 rules with the same canonical form

Members

MITRE ATT&CK coverage

Stages and predicates (per member)

Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion — stage 1 esql:from

Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion — stage 2 esql:where

Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion — stage 3 esql:eval

Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion — stage 4 esql:where

Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion — stage 5 esql:eval

Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion — stage 6 esql:eval

Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion — stage 7 esql:keep

Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion — stage 8 esql:where

Potential Dynamic IEX Reconstruction via Environment Variables — stage 9 esql:from

Potential Dynamic IEX Reconstruction via Environment Variables — stage 10 esql:where

Potential Dynamic IEX Reconstruction via Environment Variables — stage 11 esql:eval

Potential Dynamic IEX Reconstruction via Environment Variables — stage 12 esql:where

Potential Dynamic IEX Reconstruction via Environment Variables — stage 13 esql:eval

Potential Dynamic IEX Reconstruction via Environment Variables — stage 14 esql:eval

Potential Dynamic IEX Reconstruction via Environment Variables — stage 15 esql:keep

Potential Dynamic IEX Reconstruction via Environment Variables — stage 16 esql:where