On this blog post I will cover my testing of the Attack Surface Reduction rule for Potentially Obfuscated Scripts. This is one of the features that intrigued me the most. One obfuscates the scripts for several reasons:

Bypass detection controls like AV, automatic log analysis and other controls.

Hinder analysis of the script to determine its purpose and action.

On the offense side it is a requirement given how more tools are improving their detection the obfuscation allows to bypass them but also has the drawback of bringing attention to the code since it will look out of place. By detecting obfuscation and blocking its execution it would impact the capabilities of some actors limiting the tool-set they can use.

Microsoft describes the rule as follows in their documentation: