Suspicious Powershell Script

A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/03/25"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8anomaly_threshold = 50
 9author = ["Elastic"]
10description = """
11A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be
12a characteristic of malicious PowerShell script text blocks.
13"""
14false_positives = [
15    """
16    Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or
17    have unusual script block payloads may trigger this alert.
18    """,
19]
20from = "now-45m"
21interval = "15m"
22license = "Elastic License v2"
23machine_learning_job_id = ["v3_windows_anomalous_script"]
24name = "Suspicious Powershell Script"
25references = [
26    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
27    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
28]
29risk_score = 21
30rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6"
31severity = "low"
32tags = [
33    "Domain: Endpoint",
34    "OS: Windows",
35    "Use Case: Threat Detection",
36    "Rule Type: ML",
37    "Rule Type: Machine Learning",
38    "Tactic: Execution",
39]
40type = "machine_learning"
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1059"
45name = "Command and Scripting Interpreter"
46reference = "https://attack.mitre.org/techniques/T1059/"
47[[rule.threat.technique.subtechnique]]
48id = "T1059.001"
49name = "PowerShell"
50reference = "https://attack.mitre.org/techniques/T1059/001/"
51
52
53
54[rule.threat.tactic]
55id = "TA0002"
56name = "Execution"
57reference = "https://attack.mitre.org/tactics/TA0002/"

References

Related rules

to-top