{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/obfuscation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Intune Management Extension","Azure AD Connect Health Agent","Windows Defender Advanced Threat Protection"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","powershell","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently employ PowerShell obfuscation techniques to evade detection and hinder analysis. These techniques involve encoding, encrypting, or compressing PowerShell scripts to mask their true intent. This detection identifies PowerShell script blocks exhibiting high entropy and non-uniform character distributions, statistical characteristics often associated with obfuscated content. The rule specifically targets script blocks longer than 1000 characters with entropy bits \u0026gt;= 5.5 and surprisal standard deviation \u0026gt; 0.7. This detection is designed to highlight potentially malicious PowerShell activity that warrants further investigation by security analysts and incident responders. This rule was created by Elastic and last updated on May 4, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., via phishing or exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages PowerShell, a built-in Windows scripting language, to execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker uses obfuscation techniques (encoding, encryption, compression) to disguise the PowerShell script\u0026rsquo;s true intent.\u003c/li\u003e\n\u003cli\u003eThe obfuscated script is executed, bypassing basic signature-based detections.\u003c/li\u003e\n\u003cli\u003eThe script may download and execute additional payloads or establish persistence.\u003c/li\u003e\n\u003cli\u003eThe script performs malicious actions such as data exfiltration, lateral movement, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using obfuscated PowerShell can lead to various negative impacts, including data breaches, system compromise, and disruption of services. The low severity reflects the need for further analysis to confirm malicious intent, given potential false positives from legitimate encoded scripts. While the exact number of affected systems and sectors is unknown, the widespread use of PowerShell makes this a potentially significant threat across many organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to generate the necessary events (4104) as outlined in the setup instructions: \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003ehttps://ela.st/powershell-logging-setup\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune the thresholds (\u003ccode\u003epowershell.file.script_block_length\u003c/code\u003e, \u003ccode\u003epowershell.file.script_block_entropy_bits\u003c/code\u003e, \u003ccode\u003epowershell.file.script_block_surprisal_stdev\u003c/code\u003e) based on your environment\u0026rsquo;s baseline.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule, focusing on execution context (\u003ccode\u003euser.name\u003c/code\u003e, \u003ccode\u003ehost.name\u003c/code\u003e), script provenance (\u003ccode\u003efile.path\u003c/code\u003e), and reconstructed script content (\u003ccode\u003epowershell.file.script_block_text\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview the investigation guide within the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section for detailed triage and analysis steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:49:36Z","date_published":"2026-05-04T14:49:36Z","id":"/briefs/2026-06-high-entropy-powershell/","summary":"This detection identifies potentially obfuscated PowerShell scripts based on high entropy and non-uniform character distributions, often used by attackers to evade signature-based detections and hinder analysis.","title":"Potential PowerShell Obfuscated Script via High Entropy","url":"https://feed.craftedsignal.io/briefs/2026-06-high-entropy-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["defense-evasion","obfuscation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Right-to-Left Override (RTLO) character (U+202E) is a Unicode character that causes text to be rendered from right to left. Adversaries are leveraging this character in Windows command-line arguments to obfuscate malicious file names and extensions. By embedding the RTLO character within a file name or command, attackers can visually reverse the order of characters, making a malicious file appear to be harmless. For example, a file named \u0026ldquo;evil.exe\u0026rdquo; might be renamed to \u0026ldquo;evil[U+202E]exe.pdf\u0026rdquo;, which would display as \u0026ldquo;evilpdf.exe\u0026rdquo; to a user, potentially tricking them into executing the malicious file. This technique is used to bypass security controls and social engineering. The use of RTLO is not new, but it continues to be an effective method of tricking end users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious executable file (e.g., \u003ccode\u003etrojan.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker renames the malicious file, embedding the RTLO character (U+202E) within the file name to reverse the visual presentation (e.g., \u003ccode\u003etrojan[U+202E]exe.scr\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe renamed file (e.g., \u003ccode\u003etrojanscr.exe\u003c/code\u003e) is distributed to the target, often via phishing or other social engineering methods.\u003c/li\u003e\n\u003cli\u003eThe user, seeing the reversed file extension, mistakes the file for a screensaver file (\u003ccode\u003e.scr\u003c/code\u003e) and executes it.\u003c/li\u003e\n\u003cli\u003eUpon execution, the malicious executable runs with the privileges of the user.\u003c/li\u003e\n\u003cli\u003eThe malware may then perform malicious activities such as installing additional malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the initial foothold to escalate privileges and move laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code, potentially compromising the entire system. This can result in data theft, system damage, or further propagation of malware within the network. The obfuscation technique makes it harder for users to identify malicious files, increasing the likelihood of successful attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Process Creation with Right-to-Left Override Character\u003c/code\u003e to your SIEM to detect processes spawned with the RTLO character in the command line.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of the RTLO character and how it can be used to disguise malicious files.\u003c/li\u003e\n\u003cli\u003eImplement file extension filtering to block execution of suspicious file types (e.g., \u003ccode\u003e.exe\u003c/code\u003e, \u003ccode\u003e.scr\u003c/code\u003e) from untrusted locations.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual file names or command-line arguments containing the RTLO character.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture command-line arguments, which is essential for detecting this technique.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T11:57:31Z","date_published":"2026-04-01T11:57:31Z","id":"/briefs/2026-04-right-to-left-override/","summary":"Adversaries are using the Right-to-Left Override (RTLO) character (U+202E) in command-line arguments to obfuscate malicious file names and trick users into executing them, achieving defense evasion.","title":"Right-to-Left Override Character Used for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2026-04-right-to-left-override/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["discovery","evasion","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly using obfuscated IP addresses (e.g., hexadecimal, octal, or other encoded representations) within download commands to bypass security measures that rely on simple IP address blacklisting or pattern matching. This technique makes it more difficult to identify malicious network connections based on simple string matching. The observed commands include \u003ccode\u003eInvoke-WebRequest\u003c/code\u003e, \u003ccode\u003eInvoke-RestMethod\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003eDownloadFile\u003c/code\u003e, and \u003ccode\u003eDownloadString\u003c/code\u003e. Defenders need to detect these obfuscated IPs to identify and block malicious download attempts. This technique has been observed across various attack campaigns and is a common tactic used to deliver malware while attempting to evade detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a command containing an obfuscated IP address. This may involve converting a standard IP address into its hexadecimal, octal, or decimal representation.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes a command-line tool such as \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, or PowerShell\u0026rsquo;s \u003ccode\u003eInvoke-WebRequest\u003c/code\u003e to initiate a download. The command includes the obfuscated IP within a URL.\u003c/li\u003e\n\u003cli\u003eThe command interpreter resolves the obfuscated IP address back to its standard format before initiating the network connection.\u003c/li\u003e\n\u003cli\u003eThe target host establishes a connection to the attacker\u0026rsquo;s server at the resolved IP address.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server delivers a malicious payload, such as a script, executable, or document containing macros.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed on the target system, potentially leading to further compromise, such as privilege escalation or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the download and execution of malware, potentially compromising the targeted system. This can result in data breaches, system disruption, or financial loss. The use of obfuscation techniques makes it more difficult to detect and prevent these attacks, increasing the risk of successful compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Obfuscated IP Download Activity\u0026rdquo; to your SIEM to detect the use of obfuscated IP addresses in download commands. Tune the rule for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any process creation events that match the Sigma rule, paying close attention to the command-line arguments.\u003c/li\u003e\n\u003cli\u003eConsider implementing additional network-based detection mechanisms to identify connections to suspicious IP addresses, even if they are obfuscated.\u003c/li\u003e\n\u003cli\u003eMonitor process creation logs (Sysmon) for processes executing download commands like \u003ccode\u003eInvoke-WebRequest\u003c/code\u003e, \u003ccode\u003eInvoke-RestMethod\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003eDownloadFile\u003c/code\u003e, and \u003ccode\u003eDownloadString\u003c/code\u003e with suspicious arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T18:29:00Z","date_published":"2024-01-27T18:29:00Z","id":"/briefs/2024-01-obfuscated-ip-download/","summary":"This brief details the use of obfuscated IP addresses within download commands, often employed to evade detection by hiding the true destination of malicious downloads.","title":"Detection of Obfuscated IP Address Usage in Download Commands","url":"https://feed.craftedsignal.io/briefs/2024-01-obfuscated-ip-download/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","obfuscation","powershell"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eInvoke-Obfuscation is a PowerShell obfuscation framework used to evade detection by security products. Attackers employ this technique to disguise malicious PowerShell code, making it harder to identify through static analysis or signature-based detection. This particular technique involves passing obfuscated PowerShell code via standard input (stdin) to the PowerShell interpreter. This method is often employed during the execution of scripts, where malicious code is dynamically constructed and executed, leaving a reduced footprint on the file system. Defenders should be aware of this technique because it is frequently used by threat actors in conjunction with other tactics to compromise systems and execute malicious payloads. This brief provides actionable detection strategies focused on identifying this specific obfuscation pattern.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through a vulnerability or other means (not covered in this brief).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a small, initial-stage script or binary to the target system.\u003c/li\u003e\n\u003cli\u003eThis script prepares the environment for PowerShell execution, potentially setting environment variables or disabling security features.\u003c/li\u003e\n\u003cli\u003eThe script then calls \u003ccode\u003epowershell.exe\u003c/code\u003e with parameters designed to accept input from stdin.\u003c/li\u003e\n\u003cli\u003eObfuscated PowerShell code generated by Invoke-Obfuscation is piped into the \u003ccode\u003epowershell.exe\u003c/code\u003e process via stdin. This code often contains commands to download, execute, or further obfuscate malicious payloads.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epowershell.exe\u003c/code\u003e process executes the obfuscated code from stdin, bypassing some common detection rules.\u003c/li\u003e\n\u003cli\u003eThe deobfuscated code performs malicious actions such as lateral movement, data exfiltration, or persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which may include data theft, system compromise, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a full compromise of the targeted system, potentially impacting other systems within the network. Obfuscation makes incident response more difficult, as identifying and analyzing the malicious code requires additional effort. Affected systems could suffer data loss, service disruption, or financial damage. The use of Invoke-Obfuscation also indicates a deliberate attempt to evade security controls, suggesting a sophisticated attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Invoke-Obfuscation Via Stdin\u003c/code\u003e to your SIEM to detect obfuscated PowerShell execution via standard input based on command-line patterns.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging on Windows endpoints, ensuring that command-line arguments are captured to facilitate detection of obfuscated commands.\u003c/li\u003e\n\u003cli\u003eInvestigate any process creation events where \u003ccode\u003epowershell.exe\u003c/code\u003e is executed with parameters that suggest input from stdin along with obfuscated code patterns.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized PowerShell scripts, reducing the attack surface for Invoke-Obfuscation techniques.\u003c/li\u003e\n\u003cli\u003eContinuously update and refine detection rules to adapt to new obfuscation methods and variations of the Invoke-Obfuscation framework.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-invoke-obfuscation-stdin/","summary":"This brief outlines detection strategies for adversaries leveraging Invoke-Obfuscation techniques within PowerShell scripts executed via standard input, a method commonly used to evade traditional detection mechanisms.","title":"Detection of Invoke-Obfuscation via Standard Input","url":"https://feed.craftedsignal.io/briefs/2024-01-invoke-obfuscation-stdin/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic License v2"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","powershell","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies PowerShell scripts employing concatenated string literals within dynamic invocation constructs like \u003ccode\u003e\u0026amp;()\u003c/code\u003e or \u003ccode\u003e.()\u003c/code\u003e. This obfuscation technique allows attackers to construct commands dynamically, making it harder to detect their malicious intent based on static analysis or keyword matching. By breaking commands into smaller, concatenated strings, attackers aim to bypass traditional signature-based detections and evade AMSI (Anti-Malware Scan Interface). This technique has been observed in various campaigns where threat actors attempt to execute malicious code while minimizing the chances of detection. This activity is particularly concerning for defenders, as it highlights a common method to bypass security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses string concatenation to build malicious commands dynamically.\u003c/li\u003e\n\u003cli\u003eDynamic invocation constructs like \u003ccode\u003e\u0026amp;()\u003c/code\u003e or \u003ccode\u003e.()\u003c/code\u003e are used to execute the concatenated commands.\u003c/li\u003e\n\u003cli\u003eThe obfuscated commands bypass keyword-based detections and AMSI.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as downloading additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded payloads to establish persistence or exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as stealing sensitive information or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, data theft, and potential ransomware deployment. Attackers can leverage this technique to evade security controls and execute malicious commands undetected. The impact is high because it allows attackers to bypass common defenses and maintain persistence on the system, affecting potentially hundreds or thousands of systems across an organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the events necessary for this detection, as indicated in the setup instructions linked in the source material.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect PowerShell Obfuscation via String Concatenation\u003c/code\u003e to your SIEM and tune for your environment to detect the use of concatenated strings in PowerShell commands.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule, focusing on the reconstructed PowerShell commands and the processes that launched them, as outlined in the triage and analysis section of the source material.\u003c/li\u003e\n\u003cli\u003eMonitor for follow-on activities, such as child processes, file modifications, and network connections originating from PowerShell processes exhibiting obfuscation techniques.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-posh-concat-obfuscation/","summary":"This rule detects PowerShell scripts that build commands from concatenated string literals within dynamic invocation constructs, a technique used by attackers to obscure execution intent, bypass keyword-based detections, and evade AMSI.","title":"PowerShell Obfuscation via Concatenated Dynamic Command Invocation","url":"https://feed.craftedsignal.io/briefs/2024-01-posh-concat-obfuscation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly using obfuscation techniques to evade detection, specifically leveraging \u003ccode\u003eclip.exe\u003c/code\u003e in conjunction with PowerShell and command-line interpreters. This combination allows for the execution of malicious code while bypassing traditional signature-based detections. This activity often includes encoding and splitting commands to avoid string-based detection. Invoke-Obfuscation is a known framework used to generate these types of payloads. Defenders should focus on detecting the specific patterns of command execution and data manipulation that are characteristic of this technique. The detection of such obfuscated PowerShell commands is crucial for identifying and mitigating potential security breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eA command interpreter (cmd.exe) is invoked to execute a complex, obfuscated command.\u003c/li\u003e\n\u003cli\u003eThe command includes \u003ccode\u003eecho\u003c/code\u003e to write data to standard output, piping the output to \u003ccode\u003eclip.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eclip.exe\u003c/code\u003e places the output (part of the malicious PowerShell code) into the clipboard.\u003c/li\u003e\n\u003cli\u003eAnother \u003ccode\u003ecmd.exe\u003c/code\u003e process invokes PowerShell to execute the content retrieved from the clipboard.\u003c/li\u003e\n\u003cli\u003ePowerShell uses reflection to load and execute .NET assemblies from the clipboard.\u003c/li\u003e\n\u003cli\u003eThe executed code performs malicious actions, such as downloading additional payloads or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe clipboard content is cleared to remove traces of the injected code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of obfuscated PowerShell commands can lead to a range of malicious activities, including malware installation, data theft, and remote system control. The use of \u003ccode\u003eclip.exe\u003c/code\u003e and other obfuscation techniques significantly hinders detection efforts, potentially allowing attackers to operate undetected for extended periods. This can result in significant financial losses, data breaches, and reputational damage for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Invoke-Obfuscation Via Use Clip\u0026rdquo; to your SIEM to detect command lines using \u003ccode\u003eclip.exe\u003c/code\u003e and obfuscated PowerShell (see rule details).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for instances of \u003ccode\u003ecmd.exe\u003c/code\u003e invoking \u003ccode\u003eclip.exe\u003c/code\u003e with command lines containing \u003ccode\u003eecho\u003c/code\u003e piped to \u003ccode\u003eclip.exe\u003c/code\u003e (logsource: process_creation, product: windows).\u003c/li\u003e\n\u003cli\u003eInspect PowerShell execution logs for commands that access the clipboard, especially when followed by assembly loading or remote code execution (logsource: process_creation, product: windows).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-invoke-obfuscation-clip/","summary":"The use of `clip.exe` in conjunction with PowerShell and command-line obfuscation is used to evade detection.","title":"Invoke-Obfuscation via Clip.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-invoke-obfuscation-clip/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","powershell","obfuscation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts that repeatedly concatenate quoted string literals using the \u003ccode\u003e+\u003c/code\u003e operator. Attackers use this technique to obfuscate malicious commands, URLs, or tokens, thereby evading static analysis and Anti-Malware Scan Interface (AMSI). The rule focuses on scripts with a script block length greater than 500 characters to reduce false positives. Successful exploitation allows attackers to execute malicious code without detection. This behavior matters for defenders as it bypasses traditional security measures that rely on static code analysis. This rule has been in production since 2025 and was updated in April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or introduces a PowerShell script containing obfuscated code via string concatenation.\u003c/li\u003e\n\u003cli\u003eThe script is executed using \u003ccode\u003epowershell.exe\u003c/code\u003e, potentially with arguments to bypass execution policies.\u003c/li\u003e\n\u003cli\u003ePowerShell interprets the script, which dynamically assembles commands by concatenating multiple string literals.\u003c/li\u003e\n\u003cli\u003eThe dynamically assembled commands execute malicious actions, such as downloading a payload from a remote server.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is saved to disk or executed directly in memory.\u003c/li\u003e\n\u003cli\u003eThe payload establishes persistence using registry keys or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful obfuscation can lead to the execution of arbitrary code, bypassing security measures, and potentially leading to system compromise. Consequences include data theft, system disruption, or ransomware deployment. The number of potential victims is broad, encompassing any Windows system running PowerShell. This technique can affect any sector.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the full script content (referenced in the rule\u0026rsquo;s \u003ccode\u003eData Source: PowerShell Logs\u003c/code\u003e tag and the \u003ccode\u003esetup\u003c/code\u003e section of the source).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune the \u003ccode\u003eEsql.script_block_pattern_count\u003c/code\u003e threshold based on your environment (see \u003ccode\u003erules\u003c/code\u003e section below).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by this rule, focusing on the reconstructed PowerShell script and its execution context (see \u003ccode\u003enote\u003c/code\u003e section of the source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-posh-string-concat/","summary":"This rule detects PowerShell scripts employing string concatenation to evade static analysis and AMSI by fragmenting keywords or URLs at runtime.","title":"PowerShell Obfuscation via String Concatenation","url":"https://feed.craftedsignal.io/briefs/2024-01-posh-string-concat/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["powershell","obfuscation","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts employing character array reconstruction to obfuscate their contents. This technique involves building strings from \u003ccode\u003echar[]\u003c/code\u003e arrays, index lookups, or repeated \u003ccode\u003e([char]NN)+\u003c/code\u003e concatenation/join operations. Threat actors leverage this method to conceal malicious commands, URLs, or payloads, making them difficult to detect through static analysis and AMSI (Anti-Malware Scan Interface). The rule focuses on identifying scripts containing these character array manipulation patterns, enabling security teams to uncover potentially malicious PowerShell activity that would otherwise be missed. This technique is especially useful for attackers to evade detection in environments where PowerShell logging is enabled but not actively monitored for obfuscated code.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access through various means, such as phishing emails, compromised credentials, or exploiting software vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Delivery:\u003c/strong\u003e The attacker delivers a PowerShell script containing obfuscated code using character array reconstruction.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObfuscation:\u003c/strong\u003e The PowerShell script utilizes character array manipulation to construct malicious commands, URLs, or payloads dynamically.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The character array reconstruction technique bypasses static analysis and AMSI, hindering traditional security measures.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The script executes the reconstructed commands, potentially downloading and executing additional payloads or performing malicious actions on the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker may establish persistence by creating scheduled tasks or modifying registry keys to ensure the script runs automatically.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The script communicates with a command and control (C2) server to receive further instructions and exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their objective, which could include data theft, system compromise, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the compromised system, potentially leading to data theft, system compromise, or ransomware deployment. The use of character array reconstruction significantly increases the likelihood of bypassing traditional security measures and successfully executing malicious actions. The severity of the impact depends on the attacker\u0026rsquo;s objectives and the level of access they gain on the compromised system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell script block logging to capture the necessary events for detection. Refer to the setup instructions in the rule details.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune it for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule to identify potentially malicious PowerShell scripts using character array reconstruction. Focus on analyzing the reconstructed strings and the script\u0026rsquo;s overall behavior.\u003c/li\u003e\n\u003cli\u003eImplement strict PowerShell execution policies to restrict the execution of unsigned or untrusted scripts.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious process creations originating from PowerShell, such as spawning command-line interpreters or executing system utilities.\u003c/li\u003e\n\u003cli\u003eBlock known malicious domains and IP addresses associated with command and control servers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-posh-char-array-obfuscation/","summary":"Detects PowerShell scripts using character array reconstruction to hide commands, URLs, or payloads, evading static analysis and AMSI.","title":"PowerShell Obfuscation via Character Array Reconstruction","url":"https://feed.craftedsignal.io/briefs/2024-01-03-posh-char-array-obfuscation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["powershell","obfuscation","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies PowerShell scripts that exhibit characteristics of obfuscation, specifically those heavily reliant on whitespace and special characters. Attackers employ these techniques to bypass security measures such as static analysis and the Antimalware Scan Interface (AMSI). The rule focuses on scripts that have a low diversity of symbols and a high ratio of whitespace and special characters, a common profile for obfuscated PowerShell code. The rule leverages PowerShell script block logging (event code 4104) to analyze script content and identify suspicious patterns, aiming to detect potentially malicious scripts attempting to conceal their true intent. This detection helps defenders identify and investigate potentially malicious PowerShell scripts before they can execute their payloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through a vulnerability or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or introduces an obfuscated PowerShell script to the target system.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script is executed, bypassing initial security checks due to the obfuscation.\u003c/li\u003e\n\u003cli\u003eThe script leverages whitespace and special characters to hide malicious commands and logic.\u003c/li\u003e\n\u003cli\u003eAt runtime, the script deobfuscates itself using PowerShell functions like \u003ccode\u003eInvoke-Expression\u003c/code\u003e or \u003ccode\u003e[char]\u003c/code\u003e casting.\u003c/li\u003e\n\u003cli\u003eThe deobfuscated code executes malicious actions, such as downloading malware or modifying system settings.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or establishing a backdoor.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code, malware installation, and potential compromise of the entire system. Obfuscation makes it difficult to detect malicious intent, allowing attackers to bypass traditional security measures. The widespread use of PowerShell in enterprise environments makes this a significant threat vector. The impact could range from minor system instability to a full-scale data breach, depending on the attacker\u0026rsquo;s objectives and the privileges of the compromised account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to generate the events used by this rule (e.g., 4104).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect-Potential-PowerShell-Obfuscation\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eDetect-Potential-PowerShell-Obfuscation\u003c/code\u003e for potential malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-posh-obfuscation/","summary":"This rule detects PowerShell scripts heavily obfuscated with whitespace and special characters, often used to evade static analysis and AMSI, by identifying scripts with low symbol diversity and a high proportion of whitespace and special characters.","title":"Potential PowerShell Obfuscation via Special Character Overuse","url":"https://feed.craftedsignal.io/briefs/2024-01-posh-obfuscation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","powershell","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers leverage Invoke-Obfuscation, a popular PowerShell obfuscation framework, to generate highly obfuscated IEX (Invoke-Expression) commands. This technique allows them to bypass traditional signature-based detections and execute malicious payloads on targeted systems. Invoke-Obfuscation is designed to make PowerShell code difficult to read and analyze, thus hindering security analysts and automated detection systems. The obfuscation techniques include string concatenation using environment variables, character code manipulation, and other methods to mask the true intent of the script. This activity has been observed across various campaigns, typically targeting Windows environments where PowerShell is widely used. Defenders should be aware of this technique and implement robust detection mechanisms to identify and block obfuscated PowerShell execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to the target system through methods such as phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003ePayload Delivery: The attacker uploads a malicious PowerShell script or downloads it from a remote server.\u003c/li\u003e\n\u003cli\u003eObfuscation: The attacker uses Invoke-Obfuscation to obfuscate the PowerShell script, making it difficult to analyze. This can involve techniques like string concatenation using \u003ccode\u003e$PSHome\u003c/code\u003e or \u003ccode\u003e$ShellId\u003c/code\u003e, or using complex variable manipulations.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes the obfuscated PowerShell script using \u003ccode\u003epowershell.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIEX Invocation: The obfuscated script leverages \u003ccode\u003eIEX\u003c/code\u003e (Invoke-Expression) to dynamically execute code, further hindering detection. The obfuscated strings are deobfuscated at runtime within the IEX context.\u003c/li\u003e\n\u003cli\u003ePersistence (Optional): The attacker may establish persistence by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eLateral Movement (Optional): The attacker may use the compromised system as a launching point for lateral movement within the network, using tools like \u003ccode\u003ePsExec\u003c/code\u003e or \u003ccode\u003eWinRM\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eObjective: The ultimate objective could be data exfiltration, ransomware deployment, or establishing a long-term foothold for espionage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the compromised system, leading to various malicious activities such as data theft, system compromise, and ransomware deployment. The use of Invoke-Obfuscation makes detection more challenging, potentially allowing attackers to remain undetected for extended periods. This can result in significant financial losses, reputational damage, and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eInvoke-Obfuscation Obfuscated IEX Invocation\u003c/code\u003e to your SIEM to detect obfuscated IEX commands generated by Invoke-Obfuscation.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell execution logs for suspicious command-line arguments that resemble obfuscation patterns described in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement PowerShell Constrained Language Mode to restrict the capabilities of PowerShell and limit the effectiveness of obfuscation techniques.\u003c/li\u003e\n\u003cli\u003eEnable and review PowerShell Script Block Logging to capture the content of executed scripts, allowing for more in-depth analysis of malicious activity.\u003c/li\u003e\n\u003cli\u003eRegularly update your endpoint detection and response (EDR) solutions to ensure they have the latest signatures and behavioral detection capabilities.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of phishing and other social engineering attacks that may be used to deliver malicious PowerShell scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-invoke-obfuscation-iex/","summary":"Attackers use Invoke-Obfuscation, a PowerShell obfuscation framework, to generate obfuscated IEX (Invoke-Expression) commands, evading detection and executing malicious code.","title":"Invoke-Obfuscation Obfuscated IEX Invocation via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-invoke-obfuscation-iex/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Sysmon","Elastic Endgame","Elastic Defend","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","command-line","unicode","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers are increasingly employing Unicode modifier letters to obfuscate command-line arguments, thereby bypassing traditional string-based detection mechanisms. This technique involves replacing standard ASCII characters with visually similar Unicode characters, making it difficult for simple pattern-matching rules to identify malicious commands. The obfuscation targets common Windows utilities such as \u003ccode\u003ereg.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003ePowerShell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, and others frequently abused in post-exploitation scenarios. Defenders need to implement more sophisticated detection methods that account for Unicode normalization or character range analysis to identify and mitigate this threat. This technique has become more prevalent in the last year as attackers seek to evade common detection strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes a command-line utility like \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e to perform malicious actions.\u003c/li\u003e\n\u003cli\u003eObfuscation: The command-line arguments are obfuscated by replacing ASCII characters with Unicode modifier letters.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The obfuscation allows the attacker to evade simple string-based detections that would normally flag the command as malicious.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker may use the obfuscated command to escalate privileges or gain access to sensitive resources.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker may establish persistence by creating a scheduled task or modifying the registry using obfuscated commands.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker may use the obfuscated command to move laterally to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful command obfuscation can lead to a significant compromise of Windows systems. Attackers can bypass security controls and execute malicious code undetected, potentially leading to data theft, system disruption, or ransomware deployment. The obfuscation makes it harder for security teams to identify and respond to attacks, increasing the dwell time and potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect the presence of Unicode modifier letters in command lines (references: Sigma rules).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture command-line arguments for analysis (references: Sysmon setup instructions).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule and analyze the raw command lines to identify the true intent of the command (references: Triage and Analysis section of the source).\u003c/li\u003e\n\u003cli\u003eConsider implementing Unicode normalization techniques to remove the obfuscation before analyzing command lines.\u003c/li\u003e\n\u003cli\u003eMonitor the listed processes (\u003ccode\u003ereg.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, etc.) more closely for suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-unicode-cmd-obfuscation/","summary":"Adversaries use Unicode modifier letters to obfuscate command-line arguments, evading string-based detections on common Windows utilities like PowerShell and cmd.exe.","title":"Command Obfuscation via Unicode Modifier Letters","url":"https://feed.craftedsignal.io/briefs/2024-01-unicode-cmd-obfuscation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["windows","PowerShell"],"_cs_severities":["high"],"_cs_tags":["powershell","obfuscation","defense-evasion","variable-expansion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft"],"content_html":"\u003cp\u003eThis rule detects PowerShell scripts employing backtick-escaped characters within \u003ccode\u003e${}\u003c/code\u003e variable expansion, a technique used to reconstruct strings at runtime. Attackers leverage variable-expansion obfuscation to split keywords, conceal commands, and bypass static analysis and AMSI (Antimalware Scan Interface). This obfuscation method involves inserting multiple backticks between word characters inside \u003ccode\u003e${}\u003c/code\u003e blocks. Detecting this behavior is crucial as it signifies attempts to evade security measures and potentially execute malicious code on compromised systems. The rule focuses on identifying scripts with a length exceeding 500 characters to minimize false positives and targets PowerShell event code 4104.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or creates a PowerShell script on the target system.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script employs backtick-escaped variable expansion (e.g., \u003ccode\u003e$env:use``r``na``me\u003c/code\u003e) to obfuscate its contents.\u003c/li\u003e\n\u003cli\u003eThe obfuscated script is executed using powershell.exe.\u003c/li\u003e\n\u003cli\u003eThe script dynamically reconstructs commands and strings by evaluating the backtick-escaped variables.\u003c/li\u003e\n\u003cli\u003eThe reconstructed commands perform malicious activities, such as downloading additional payloads or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eThe script attempts to evade detection by AMSI and other security tools.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence and control over the compromised system, potentially leading to data exfiltration or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, system compromise, and data theft. While the number of victims is unknown, PowerShell is a common attack vector on Windows environments. The sectors most affected are organizations relying on Windows infrastructure without adequate PowerShell monitoring and security controls. Failure to detect and prevent this technique allows attackers to bypass security measures and gain unauthorized access to sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to generate event code 4104. (Reference: Setup section)\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect PowerShell Backtick Variable Obfuscation\u003c/code\u003e to identify scripts using backtick-escaped variable expansion.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on scripts with a high \u003ccode\u003eEsql.script_block_pattern_count\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eMonitor for process creation events where powershell.exe executes obfuscated commands as detected by the Sigma rule \u003ccode\u003eDetect Suspicious PowerShell Encoded Commands\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview PowerShell logs for event code 4104 and examine \u003ccode\u003epowershell.file.script_block_text\u003c/code\u003e for suspicious patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-powershell-backtick-obfuscation/","summary":"PowerShell scripts use backtick-escaped characters inside `${}` variable expansion to reconstruct strings at runtime, enabling attackers to split keywords, hide commands, and evade static analysis and AMSI.","title":"PowerShell Obfuscation via Backtick-Escaped Variable Expansion","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-backtick-obfuscation/"}],"language":"en","title":"CraftedSignal Threat Feed — Obfuscation","version":"https://jsonfeed.org/version/1.1"}