detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard
verified publisher icon elastic

[New Rule] Potential PowerShell Obfuscation via Reverse Keywords

Open w0rk3r opened this issue 9 months ago • 4 comments

Issues

Part of https://github.com/elastic/ia-trade-team/issues/533

Summary

Identifies PowerShell scripts that use reversed strings as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI).

3 hits last 90d on telemetry, no FPs

Additional information

From my testing, the | KEEP condition doesn’t need to specify any fields other than the metadata ones (_id and _index), as the engine appears to populate the alert using them. However, I’m keeping it as-is because it significantly improves performance in Discovery and makes the results more understandable if someone uses the query for hunting.

image

Sample Match

image

w0rk3r avatar Apr 14 '25 19:04 w0rk3r

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

  • [ ] Detailed description of the rule.
  • [ ] List any new fields required in ECS/data sources.
  • [ ] Link related issues or PRs.
  • [ ] Include references.

Rule Metadata Checks

  • [ ] creation_date matches the date of creation PR initially merged.
  • [ ] min_stack_version should support the widest stack versions.
  • [ ] name and description should be descriptive and not include typos.
  • [ ] query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
  • [ ] min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
  • [ ] index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
  • [ ] integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
  • [ ] setup should include the necessary steps to configure the integration.
  • [ ] note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
  • [ ] tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
  • [ ] threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

  • [ ] building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
  • [ ] bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

  • [ ] Provide evidence of testing and detecting the expected threat.
  • [ ] Check for existence of coverage to prevent duplication.

github-actions[bot] avatar Apr 14 '25 19:04 github-actions[bot]

⛔️ Test failed

Results
  • ❌ Potential PowerShell Obfuscation via Reverse Keywords (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

tradebot-elastic avatar Apr 14 '25 19:04 tradebot-elastic

⛔️ Test failed

Results
  • ❌ Potential PowerShell Obfuscation via Reverse Keywords (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

tradebot-elastic avatar Apr 15 '25 15:04 tradebot-elastic

⛔️ Test failed

Results
  • ❌ Potential PowerShell Obfuscation via Reverse Keywords (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

tradebot-elastic avatar Apr 16 '25 22:04 tradebot-elastic

⛔️ Test failed

Results
  • ❌ Potential PowerShell Obfuscation via Reverse Keywords (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

tradebot-elastic avatar May 06 '25 12:05 tradebot-elastic