Potential PowerShell Obfuscated Script via High Entropy

  1[metadata]
  2creation_date = "2026/01/08"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/01/08"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies PowerShell script blocks with high entropy and non-uniform character distributions. Attackers may obfuscate
 11PowerShell scripts using encoding, encryption, or compression techniques to evade signature-based detections and hinder
 12manual analysis by security analysts.
 13"""
 14false_positives = [
 15  """
 16  Legitimate large or encoded PowerShell scripts (automation frameworks, installers, or admin tooling) can exhibit high
 17  entropy or uneven character distributions.
 18  """
 19]
 20from = "now-9m"
 21index = ["logs-windows.powershell*"]
 22language = "kuery"
 23license = "Elastic License v2"
 24name = "Potential PowerShell Obfuscated Script via High Entropy"
 25risk_score = 21
 26rule_id = "737b5532-cf2e-4d40-9209-d7aec9dd25d5"
 27note = """## Triage and analysis
 28
 29> **Disclaimer**:
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 31
 32### Investigating Potential PowerShell Obfuscated Script via High Entropy
 33
 34This alert flags a large PowerShell script block with statistical characteristics consistent with obfuscated content (for example, encoded, compressed, or encrypted data embedded in a script). Triage should focus on establishing execution context (who/where), reconstructing the complete script content, identifying whether the high-entropy data is a benign embedded resource or a staged payload, and scoping for related activity.
 35
 36#### Key alert fields to review
 37
 38- `user.name`, `user.domain`, `user.id`: Account execution context for correlation, prioritization, and scoping.
 39- `host.name`, `host.id`: Host execution context for correlation, prioritization, and scoping.
 40- `file.path`, `file.directory`, `file.name`: File-origin context when the script block is sourced from an on-disk file.
 41- `powershell.file.script_block_text`: Script block content that matched the detection logic.
 42- `powershell.file.script_block_id`, `powershell.sequence`, `powershell.total`: Script block metadata to pivot to other fragments or reconstruct full script content when split across multiple events.
 43- `powershell.file.script_block_entropy_bits`: Shannon entropy of the script block. Higher values may indicate obfuscation.
 44- `powershell.file.script_block_surprisal_stdev`: Standard deviation of surprisal across the script block. Low values indicate uniform randomness. High values indicate mixed patterns and variability.
 45- `powershell.file.script_block_unique_symbols`: Count of distinct characters present in the script block.
 46- `powershell.file.script_block_length`: Script block length (size) context.
 47
 48#### Possible investigation steps
 49
 50- Triage the execution context and initial severity:
 51  - Review `@timestamp` to identify when the script block executed and align pivots to the same timeframe.
 52  - Review `host.name` and `host.id` to identify the endpoint and validate whether PowerShell use is expected for its role.
 53  - Review `user.name`, `user.domain`, and `user.id` to determine whether the account is expected to run PowerShell on this host and whether it is privileged, shared, or an automation/service identity.
 54  - Review `powershell.file.script_block_length`, `powershell.file.script_block_entropy_bits`, and `powershell.file.script_block_surprisal_stdev` to understand whether the alert is driven by a large embedded blob (often staging) or more mixed script content (often a wrapper/loader plus embedded data).
 55
 56- Determine script provenance (file-backed vs. dynamic/interactive):
 57  - If `file.path` is present, review `file.directory` and `file.name` to understand where the script originated.
 58  - Assess whether `file.directory` is consistent with approved administrative tooling locations for this host and user, or whether it appears user-writable, temporary, or otherwise unusual.
 59  - If `file.path` is absent, treat the script block as potentially interactive or dynamically generated and prioritize reconstructing the full script content and identifying the launch source via process correlation.
 60
 61- Reconstruct the full script content when fragmented:
 62  - Pivot on `powershell.file.script_block_id` to collect all fragments associated with the script block.
 63  - Order fragments using `powershell.sequence` and validate completeness using `powershell.total`.
 64  - Analyze the reconstructed content as a whole to avoid missing small loader logic that precedes a large encoded/encrypted payload.
 65
 66- Perform structured content review of `powershell.file.script_block_text`:
 67  - Identify large contiguous strings, byte arrays, or character arrays that may represent encoded or packed data; use `powershell.file.script_block_unique_symbols` to help distinguish limited-alphabet encodings from broader character sets.
 68  - Look for transformation and staging patterns (for example, decode/decrypt/decompress routines) and whether transformed content is immediately executed (for example, dynamic invocation, in-memory loading, or secondary script evaluation).
 69  - Extract any embedded indicators (domains, URLs, IPs, file paths/names, registry paths, scheduled task/service names, or distinctive strings) and retain them for scoping and containment.
 70
 71- Establish the execution chain and initiating source:
 72  - Use `process.pid` with `host.id` and `@timestamp` to pivot to process telemetry for the PowerShell host instance that generated the script block.
 73  - Identify the parent process and initiating mechanism (interactive shell, scheduled execution, remote management, document/script host, or other launcher). Treat unexpected launch sources or unusual timing for the host role as higher risk.
 74  - Check whether the same `process.pid` generated additional suspicious script blocks around the alert time, and whether `user.id` and `host.id` align with expected administrative behavior.
 75
 76- Correlate for follow-on activity on the same host and account:
 77  - Correlate on `host.id` and `@timestamp` to identify adjacent events that indicate impact (outbound connections, file writes, module downloads, persistence changes, or unusual authentication activity).
 78  - When `file.path` is present, correlate on that path and timeframe for file creation/modification patterns that may indicate initial staging or subsequent cleanup.
 79
 80- Scope the activity across the environment:
 81  - Search for other high-entropy script blocks on the same `host.id` and `user.id` before and after the alert to identify repeated execution or iterative staging.
 82  - Search across hosts for the same `file.name` and `file.path` (when present) and compare `powershell.file.script_block_text` structure to identify reuse.
 83  - Use distinctive substrings from `powershell.file.script_block_text` as pivots to find related script blocks even when paths or accounts differ.
 84
 85### False positive analysis
 86
 87- Benign scripts can trigger this alert when they legitimately embed packed data (for example, compressed resources, serialized configuration blobs, embedded certificates/keys, or packaged modules) that increase entropy and appear non-uniform.
 88- Indicators supporting a benign determination:
 89  - `file.path` and `file.name` consistently map to an approved internal tool or vendor-managed automation across multiple hosts.
 90  - `user.id` represents an expected administrative or automation identity with predictable host targeting and execution timing.
 91  - Reconstructed `powershell.file.script_block_text` shows a stable, repeatable structure over time, and any decoded content aligns with known operational functionality rather than staging and immediate secondary execution.
 92- Indicators supporting suspicion:
 93  - Unusual `file.directory` for the host role or account, or absence of `file.path` combined with evidence of dynamic staging behavior.
 94  - Reconstructed content includes clear execution of transformed data, in-memory loading patterns, or embedded external destinations not associated with known tooling.
 95- If determined benign, document the owning tool/team, expected `user.id` usage, and expected `file.path`/`file.name` (when present). Use those stable attributes for future baselining and noise reduction while preserving detection for new paths, new users, or materially different script structures.
 96
 97### Response and remediation
 98
 99- If suspicious or malicious activity is confirmed:
100  - Contain the affected host to prevent further execution and lateral movement.
101  - Preserve relevant evidence from the alert, including full reconstructed script content (via `powershell.file.script_block_id`, `powershell.sequence`, `powershell.total`), and associated context (`@timestamp`, `host.*`, `user.*`, `file.*`, `process.pid`, and entropy metrics).
102  - Use extracted indicators from `powershell.file.script_block_text` to hunt across hosts and accounts, and to identify additional affected systems.
103  - Investigate and remediate follow-on activity identified during correlation (downloaded payloads, dropped files, persistence mechanisms, or unauthorized network access) and remove malicious artifacts from affected endpoints.
104  - If account compromise is suspected for `user.id` / `user.name`, initiate credential reset and review recent authentication activity and access paths associated with that identity.
105
106- If benign activity is confirmed:
107  - Record the justification and expected behavior (who runs it, where it runs, and expected `file.path` when present).
108  - Monitor for deviations from the established baseline, including new `user.id`, new `host.id`, new `file.path`, or significant changes in `powershell.file.script_block_text` structure or entropy characteristics.
109"""
110setup = """## Setup
111
112PowerShell Script Block Logging must be enabled to generate the events used by this rule (e.g., 4104).
113Setup instructions: https://ela.st/powershell-logging-setup
114
115This rule uses the following fields that require the Windows Integration v3.3.0 and up: `powershell.file.script_block_entropy_bits`, `powershell.file.script_block_surprisal_stdev`, and `powershell.file.script_block_length`.
116"""
117severity = "low"
118tags = [
119    "Domain: Endpoint",
120    "OS: Windows",
121    "Use Case: Threat Detection",
122    "Tactic: Defense Evasion",
123    "Data Source: PowerShell Logs",
124    "Resources: Investigation Guide"
125]
126timestamp_override = "event.ingested"
127type = "query"
128
129query = '''
130event.category:process and host.os.type:windows and powershell.file.script_block_length > 1000 and
131  powershell.file.script_block_entropy_bits >= 5.3 and powershell.file.script_block_surprisal_stdev > 0.7 and
132  not file.directory: "C:\Program Files (x86)\Microsoft Intune Management Extension\Content\DetectionScripts"
133'''
134
135
136[[rule.filters]]
137[rule.filters.meta]
138negate = true
139[rule.filters.query.wildcard."file.path"]
140case_insensitive = true
141value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"
142
143[[rule.threat]]
144framework = "MITRE ATT&CK"
145[[rule.threat.technique]]
146id = "T1027"
147name = "Obfuscated Files or Information"
148reference = "https://attack.mitre.org/techniques/T1027/"
149
150[[rule.threat.technique]]
151id = "T1140"
152name = "Deobfuscate/Decode Files or Information"
153reference = "https://attack.mitre.org/techniques/T1140/"
154
155
156[rule.threat.tactic]
157id = "TA0005"
158name = "Defense Evasion"
159reference = "https://attack.mitre.org/tactics/TA0005/"
160[[rule.threat]]
161framework = "MITRE ATT&CK"
162[[rule.threat.technique]]
163id = "T1059"
164name = "Command and Scripting Interpreter"
165reference = "https://attack.mitre.org/techniques/T1059/"
166[[rule.threat.technique.subtechnique]]
167id = "T1059.001"
168name = "PowerShell"
169reference = "https://attack.mitre.org/techniques/T1059/001/"
170
171
172
173[rule.threat.tactic]
174id = "TA0002"
175name = "Execution"
176reference = "https://attack.mitre.org/tactics/TA0002/"
177
178
179[rule.investigation_fields]
180field_names = [
181    "@timestamp",
182    "host.name",
183    "host.id",
184    "user.name",
185    "user.id",
186    "powershell.file.script_block_text",
187    "powershell.file.script_block_id",
188    "powershell.file.script_block_entropy_bits",
189    "powershell.file.script_block_surprisal_stdev",
190    "powershell.file.script_block_unique_symbols",
191    "powershell.file.script_block_length",
192    "file.path",
193    "file.directory",
194    "file.name",
195    "process.pid"
196]