Potential PowerShell Obfuscated Script via High Entropy

About

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Defense EvasionData Source: PowerShell LogsLanguage: kuery

Severity

low

Risk Score

21

MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

↳ Obfuscated Files or Information (T1027)(external, opens in a new tab or window)

↳ Deobfuscate/Decode Files or Information (T1140)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

↳ Command and Scripting Interpreter (T1059)(external, opens in a new tab or window)

False Positive Examples

Legitimate large or encoded PowerShell scripts (automation frameworks, installers, or admin tooling) can exhibit high entropy or uneven character distributions.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Query (Kibana Query Language)

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-windows.powershell*

Related Integrations

windows(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗event.category:process and host.os.type:windows and powershell.file.script_block_length > 1000 and
  powershell.file.script_block_entropy_bits >= 5.3 and powershell.file.script_block_surprisal_stdev > 0.7 and
  not file.directory: "C:\Program Files (x86)\Microsoft Intune Management Extension\Content\DetectionScripts"