From 254589d1562d40b757aab0ab7a130b476a757c9e Mon Sep 17 00:00:00 2001
From: norbert <norbert.jasniewicz@protonmail.com>
Date: Thu, 11 Jun 2026 10:40:18 +0200
Subject: [PATCH 1/2] Add new powershell rule

---
 ...tion_via_exported_commands_array_index.yml | 41 +++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 rules/windows/powershell/powershell_script/posh_ps_cmdlet_invocation_via_exported_commands_array_index.yml

diff --git a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_invocation_via_exported_commands_array_index.yml b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_invocation_via_exported_commands_array_index.yml
new file mode 100644
index 00000000000..dc6f7e7c347
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_invocation_via_exported_commands_array_index.yml
@@ -0,0 +1,41 @@
+title: Potential Cmdlet Invocation Via ExportedCommands Array Index
+id: 4ff4ad3e-9fb5-4a70-9962-d6ea58090318
+status: experimental
+description: |
+    Detects PowerShell scripts that enumerate Microsoft.PowerShell.Utility exported commands
+    and invoke cmdlets indirectly by array index. This can be used to evade detections
+    that look for explicit strings such as Invoke-RestMethod or Invoke-Expression.
+references:
+    - https://www.linkedin.com/posts/mark-o-halloran1_clickfix-defense-evasion-tactic-today-i-ugcPost-7453463467736408064-snrp
+author: Norbert Jaśniewicz (AlphaSOC)
+date: 2026-06-11
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - attack.stealth
+    - attack.t1027.010
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection_module_export_enum:
+        ScriptBlockText|contains|all:
+            - 'Get-Module'
+            - 'ListAvailable'
+            - 'Microsoft.PowerShell.Utility'
+            - 'ExportedCommands'
+            - 'Values'
+    selection_index_used:
+        ScriptBlockText|contains: '[*]'
+    selection_indirect_invocation:
+        - ScriptBlockText|startswith:
+              - '&'
+              - '.'
+        - ScriptBlockText|contains:
+              - ' &'
+              - ' .'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium

From 676305a0c1c4d432f1ade746af8d96c3de0b5c5f Mon Sep 17 00:00:00 2001
From: norbert791 <80985548+norbert791@users.noreply.github.com>
Date: Fri, 12 Jun 2026 11:54:18 +0200
Subject: [PATCH 2/2] Apply suggestion from @nasbench

Co-authored-by: Nasreddine Bencherchali <nbencher@cisco.com>
---
 ...cmdlet_invocation_via_exported_commands_array_index.yml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_invocation_via_exported_commands_array_index.yml b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_invocation_via_exported_commands_array_index.yml
index dc6f7e7c347..2ae33c2dfb3 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_invocation_via_exported_commands_array_index.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_invocation_via_exported_commands_array_index.yml
@@ -28,13 +28,6 @@ detection:
             - 'Values'
     selection_index_used:
         ScriptBlockText|contains: '[*]'
-    selection_indirect_invocation:
-        - ScriptBlockText|startswith:
-              - '&'
-              - '.'
-        - ScriptBlockText|contains:
-              - ' &'
-              - ' .'
     condition: all of selection_*
 falsepositives:
     - Unknown