Potential PowerShell Obfuscated Script via High Entropy
This rule detects potential PowerShell obfuscated scripts by identifying script blocks with high entropy and non-uniform character distributions, which attackers use to evade signature-based detections.
Attackers often obfuscate PowerShell scripts using encoding, encryption, or compression to evade signature-based detections and hinder manual analysis. This technique allows malicious actors to hide their code's true intent, making it difficult for security analysts to identify and understand the script's behavior. This detection identifies PowerShell script blocks with high entropy and non-uniform character distributions, characteristics that are common in obfuscated scripts. The rule focuses on statistical anomalies in PowerShell script blocks. It checks for large script blocks (over 1000 characters) with high entropy (>= 5.5 bits) and significant surprisal standard deviation (> 0.7). Note that legitimate scripts can trigger this alert when they embed packed data (e.g., compressed resources).
Attack Chain
- An attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).
- The attacker uploads or creates a PowerShell script on the target system.
- The PowerShell script is obfuscated using techniques such as Base64 encoding, gzip compression, or encryption algorithms.
- The obfuscated script is executed via
powershell.exe. - The script decodes, decrypts, or decompresses the malicious payload in memory.
- The payload is executed, performing actions such as establishing persistence, downloading additional malware, or exfiltrating data.
- The attacker leverages the established foothold for lateral movement within the network.
- The final objective is achieved (e.g., data theft, ransomware deployment).
Impact
Successful obfuscation allows attackers to bypass traditional signature-based security controls. This can lead to undetected malware infections, data breaches, and system compromise. The impact includes potential data theft, system disruption, and financial loss. While the number of victims and specific sectors targeted are unknown, the widespread use of PowerShell makes this a broadly applicable threat.
Recommendation
- Enable PowerShell Script Block Logging to generate the necessary events (4104) for this detection. Reference: https://ela.st/powershell-logging-setup
- Deploy the Sigma rule "Detect Obfuscated PowerShell Script via High Entropy" to your SIEM and tune the threshold values (
powershell.file.script_block_length,powershell.file.script_block_entropy_bits,powershell.file.script_block_surprisal_stdev) to match your environment. - Investigate any alerts triggered by the Sigma rule, focusing on execution context, script content, and initiating source as detailed in the rule's description.
- Review
file.path(if present) to determine the script's origin and legitimacy. - Implement endpoint detection and response (EDR) solutions to monitor for post-execution activity, such as suspicious network connections and file modifications.
- Block execution of PowerShell scripts from unusual file directories (user-writable or temporary locations).
Detection coverage 2
Detect Obfuscated PowerShell Script via High Entropy
mediumDetects PowerShell script blocks with high entropy, a common characteristic of obfuscated scripts used to evade detection.
Detect PowerShell Script with Surprisal Deviation
mediumDetects PowerShell scripts with non-uniform character distributions, potentially indicating obfuscation.
Detection queries are available on the platform. Get full rules →