Skip to content
Threat Feed
high advisory

PowerShell Obfuscation via String Concatenation

This rule detects PowerShell scripts employing string concatenation to evade static analysis and AMSI by fragmenting keywords or URLs at runtime.

This detection identifies PowerShell scripts that repeatedly concatenate quoted string literals using the + operator. Attackers use this technique to obfuscate malicious commands, URLs, or tokens, thereby evading static analysis and Anti-Malware Scan Interface (AMSI). The rule focuses on scripts with a script block length greater than 500 characters to reduce false positives. Successful exploitation allows attackers to execute malicious code without detection. This behavior matters for defenders as it bypasses traditional security measures that rely on static code analysis. This rule has been in production since 2025 and was updated in April 2026.

Attack Chain

  1. An attacker gains initial access to a Windows system through various means (e.g., phishing, exploit).
  2. The attacker uploads or introduces a PowerShell script containing obfuscated code via string concatenation.
  3. The script is executed using powershell.exe, potentially with arguments to bypass execution policies.
  4. PowerShell interprets the script, which dynamically assembles commands by concatenating multiple string literals.
  5. The dynamically assembled commands execute malicious actions, such as downloading a payload from a remote server.
  6. The downloaded payload is saved to disk or executed directly in memory.
  7. The payload establishes persistence using registry keys or scheduled tasks.
  8. The attacker achieves their objective, such as data exfiltration or deploying ransomware.

Impact

Successful obfuscation can lead to the execution of arbitrary code, bypassing security measures, and potentially leading to system compromise. Consequences include data theft, system disruption, or ransomware deployment. The number of potential victims is broad, encompassing any Windows system running PowerShell. This technique can affect any sector.

Recommendation

  • Enable PowerShell Script Block Logging to capture the full script content (referenced in the rule’s Data Source: PowerShell Logs tag and the setup section of the source).
  • Deploy the provided Sigma rule to your SIEM and tune the Esql.script_block_pattern_count threshold based on your environment (see rules section below).
  • Investigate alerts generated by this rule, focusing on the reconstructed PowerShell script and its execution context (see note section of the source).

Detection coverage 2

Detect PowerShell Obfuscation via String Concatenation

high

Detects PowerShell scripts that use string concatenation to obfuscate commands.

sigma tactics: defense_evasion techniques: T1027 sources: process_creation, windows

Detect Suspicious PowerShell Script Block with String Concatenation

medium

Detects PowerShell script blocks containing multiple concatenated strings, indicative of obfuscation.

sigma tactics: defense_evasion techniques: T1027 sources: powershell_operational, windows

Detection queries are kept inside the platform. Get full rules →