PowerShell Script with Encryption/Decryption Capabilities

  1[metadata]
  2creation_date = "2023/01/23"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/02/09"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies PowerShell script block content that uses .NET cryptography APIs for file encryption or decryption.
 11Attackers abuse these routines to encrypt data for impact or decrypt staged payloads to evade defenses.
 12"""
 13false_positives = ["Legitimate PowerShell Scripts which makes use of encryption."]
 14from = "now-9m"
 15index = ["winlogbeat-*", "logs-windows.powershell*"]
 16language = "kuery"
 17license = "Elastic License v2"
 18name = "PowerShell Script with Encryption/Decryption Capabilities"
 19note = """## Triage and analysis
 20
 21> **Disclaimer**:
 22> This guide was created by humans with the assistance of generative AI. While its contents have been manually curated to include the most valuable information, always validate assumptions and adjust procedures to match your internal runbooks and incident triage and response policies.
 23
 24### Investigating PowerShell Script with Encryption/Decryption Capabilities
 25
 26This rule identifies PowerShell script block content that implements cryptographic encryption or decryption using .NET APIs. Matching script blocks commonly include symmetric cryptography classes (for example, AES/Rijndael or the SymmetricAlgorithm base type), key derivation helpers (for example, PasswordDeriveBytes or Rfc2898DeriveBytes), explicit cipher configuration (CipherMode and PaddingMode), and calls that create an encryptor or decryptor.
 27
 28This behavior can be legitimate (protecting configuration values, packaging content, or controlled encryption for business workflows). It can also indicate malicious activity such as encrypting local data for impact or decrypting staged content to reduce static visibility before follow-on execution. Prioritize determining what data is being transformed, where outputs are written, and whether the user/host/script origin aligns with expected activity.
 29
 30#### Key alert fields to review
 31
 32- `user.name`, `user.domain`, `user.id`: Account execution context for correlation, prioritization, and scoping.
 33- `host.name`, `host.id`: Host execution context for correlation, prioritization, and scoping.
 34- `powershell.file.script_block_text`: Script block content that matched the detection logic.
 35- `powershell.file.script_block_id`, `powershell.sequence`, `powershell.total`: Script block metadata to pivot to other fragments or reconstruct full script content when split across multiple events.
 36- `file.path`, `file.directory`, `file.name`: File-origin context when the script block is sourced from an on-disk file.
 37- `powershell.file.script_block_length`: Script block length (size) context.
 38
 39#### Possible investigation steps
 40
 41- Review `powershell.file.script_block_text` to understand the cryptographic intent and data flow:
 42  - Identify whether the logic is primarily encrypting, decrypting, or doing both.
 43  - Note which cryptographic primitives are used (for example, AES/Rijndael, hashing helpers, and key derivation routines) and how keys/IVs are produced (hard-coded values, derived from passwords, generated randomly, or passed in).
 44  - Identify the transformed data source and destination:
 45    - File-oriented operations: look for path construction, directory traversal patterns, repeated read/write loops, file extension changes, renames, or deletion of originals.
 46    - In-memory operations: look for large embedded blobs, byte arrays, stream usage, or logic that converts decrypted content into executable form or writes it to a new artifact.
 47  - Extract and preserve any embedded secrets or deterministic derivation parameters (password strings, salts, iteration counts, static IVs, or key material), as these can be critical for impact assessment and recovery.
 48
 49- Determine whether the alert contains the full implementation or only a fragment:
 50  - Use `powershell.file.script_block_length` to gauge whether this is a complete routine (larger blocks) versus a wrapper or function invocation (smaller blocks).
 51  - If the script appears incomplete, pivot on `powershell.file.script_block_id` and use `powershell.sequence` / `powershell.total` to retrieve and order all fragments before concluding intent.
 52
 53- Validate execution context and provenance:
 54  - Review `user.name`, `user.domain`, and `user.id` to determine whether this account typically performs encryption/decryption tasks and whether the account scope matches the host role.
 55  - Review `host.name` and `host.id` to determine asset criticality and whether similar activity is expected on this system (for example, administrative hosts may have more automation than standard endpoints).
 56  - If `file.path` / `file.name` is present, evaluate whether the script origin is expected:
 57    - Compare the path and name to approved automation locations and naming conventions.
 58    - Treat unexpected paths, user-writable directories, or newly observed script locations as higher risk.
 59
 60- Scope the activity using alert fields:
 61  - On the same host, search for additional script blocks tied to the same `powershell.file.script_block_id` to find related functions or setup code not visible in the initial alert fragment.
 62  - Search across hosts for repeating patterns in `powershell.file.script_block_text` and for the same `file.name` to determine whether this is a widely deployed administrative script or isolated activity.
 63  - Pivot on `user.id` to identify whether similar script blocks appear on multiple hosts, which may indicate coordinated activity.
 64
 65- Correlate with adjacent telemetry around `@timestamp` for the same `host.id` and `user.id` (if available in your environment):
 66  - Process execution telemetry to identify the PowerShell host process and what initiated it, helping distinguish interactive use from automation or remotely initiated activity.
 67  - File activity telemetry to identify bursts of file modifications/creations consistent with bulk encryption/decryption and to determine which directories and file types were affected.
 68  - Network telemetry to identify connections that could support retrieval of encrypted content, exchange of key material, or staging/downloading of additional payloads.
 69  - Authentication telemetry to identify unusual logons or session types for the user preceding execution.
 70
 71- Determine disposition and urgency:
 72  - Treat as higher severity if the script indicates broad file processing, writes many outputs, modifies user data locations, or includes embedded key material/blobs associated with staged content.
 73  - Treat as lower severity if the script is clearly tied to approved operations, originates from a known `file.path`, is executed by expected accounts, and shows consistent recurrence patterns with expected scope.
 74
 75### False positive analysis
 76
 77- Legitimate PowerShell automation may implement encryption/decryption for secure configuration handling, packaging, data protection, or interoperability with other systems.
 78- Benign activity is more likely to have consistent `file.path` / `file.name` values, execute under expected administrative accounts, and recur on appropriate hosts with stable script content.
 79- If the script is determined to be benign, document what data it protects, where it is expected to run, which accounts execute it, and what normal recurrence looks like to reduce future triage time.
 80
 81### Response and remediation
 82
 83- If the activity is suspicious or malicious:
 84  - Contain the host to prevent further encryption/decryption activity and reduce the risk of spread or data impact.
 85  - Preserve evidence from the alert, including the full `powershell.file.script_block_text` and any reconstructed fragments correlated via `powershell.file.script_block_id`.
 86  - If `file.path` is present, collect the referenced script from disk and preserve it for forensic review and scoping.
 87  - Identify impacted systems and data:
 88    - If file-impact is suspected, prioritize backup protection, incident response escalation, and recovery planning.
 89    - If payload staging is suspected, prioritize identifying the decrypted output or follow-on execution artifacts.
 90  - Scope and hunt across the environment for related activity using `user.id`, `host.id`, recurring `file.name`, and distinctive fragments of `powershell.file.script_block_text`.
 91  - Remediate the associated account and access path: validate legitimacy, reset credentials if compromise is suspected, and apply least-privilege controls where appropriate.
 92  - Remove or block the identified script and any related artifacts discovered during analysis, and monitor for recurrence.
 93
 94- If the activity is confirmed benign:
 95  - Record the expected `file.path` / `file.name`, the responsible `user.id`, and normal execution patterns to support consistent future triage and tuning decisions.
 96"""
 97risk_score = 47
 98rule_id = "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd"
 99severity = "medium"
100tags = [
101    "Domain: Endpoint",
102    "OS: Windows",
103    "Use Case: Threat Detection",
104    "Tactic: Defense Evasion",
105    "Data Source: PowerShell Logs",
106    "Resources: Investigation Guide",
107]
108timestamp_override = "event.ingested"
109type = "query"
110
111query = '''
112event.category:process and host.os.type:windows and
113  powershell.file.script_block_text : (
114    (
115      "Cryptography.AESManaged" or
116      "Cryptography.RijndaelManaged" or
117      "Cryptography.SHA1Managed" or
118      "Cryptography.SHA256Managed" or
119      "Cryptography.SHA384Managed" or
120      "Cryptography.SHA512Managed" or
121      "Cryptography.SymmetricAlgorithm" or
122      "PasswordDeriveBytes" or
123      "Rfc2898DeriveBytes"
124    ) and
125    (
126      CipherMode and PaddingMode
127    ) and
128    (
129      ".CreateEncryptor" or
130      ".CreateDecryptor"
131    )
132  ) and
133  not user.id : "S-1-5-18" and
134  not (
135    file.name : "Bootstrap.Octopus.FunctionAppenderContext.ps1" and
136    powershell.file.script_block_text : ("function Decrypt-Variables" or "github.com/OctopusDeploy")
137  )
138'''
139
140
141[[rule.threat]]
142framework = "MITRE ATT&CK"
143[[rule.threat.technique]]
144id = "T1027"
145name = "Obfuscated Files or Information"
146reference = "https://attack.mitre.org/techniques/T1027/"
147
148[[rule.threat.technique]]
149id = "T1140"
150name = "Deobfuscate/Decode Files or Information"
151reference = "https://attack.mitre.org/techniques/T1140/"
152
153
154[rule.threat.tactic]
155id = "TA0005"
156name = "Defense Evasion"
157reference = "https://attack.mitre.org/tactics/TA0005/"
158
159[rule.investigation_fields]
160field_names = [
161    "@timestamp",
162    "user.name",
163    "user.id",
164    "user.domain",
165    "powershell.file.script_block_text",
166    "powershell.file.script_block_id",
167    "powershell.sequence",
168    "powershell.total",
169    "file.path",
170    "file.directory",
171    "file.name",
172    "process.pid",
173    "host.name",
174    "host.id",
175    "powershell.file.script_block_length"
176]