Suspicious Powershell Script

 1[metadata]
 2creation_date = "2020/03/25"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2023/07/27"
 6min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 7min_stack_version = "8.3.0"
 8
 9[rule]
10anomaly_threshold = 50
11author = ["Elastic"]
12description = """
13A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be
14a characteristic of malicious PowerShell script text blocks.
15"""
16false_positives = [
17    """
18    Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or
19    have unusual script block payloads may trigger this alert.
20    """,
21]
22from = "now-45m"
23interval = "15m"
24license = "Elastic License v2"
25machine_learning_job_id = ["v3_windows_anomalous_script"]
26name = "Suspicious Powershell Script"
27references = [
28    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
29    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"]
30risk_score = 21
31rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6"
32severity = "low"
33tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution"]
34type = "machine_learning"
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1059"
40name = "Command and Scripting Interpreter"
41reference = "https://attack.mitre.org/techniques/T1059/"
42
43
44    [[rule.threat.technique.subtechnique]]
45    id = "T1059.001"
46    name = "PowerShell"
47    reference = "https://attack.mitre.org/techniques/T1059/001/"
48
49
50[rule.threat.tactic]
51id = "TA0002"
52name = "Execution"
53reference = "https://attack.mitre.org/tactics/TA0002/"```