Potential Malicious PowerShell Based on Alert Correlation

This detection identifies potentially malicious PowerShell activity by correlating multiple distinct PowerShell detections via the same ScriptBlock ID. Attackers frequently chain obfuscation, decoding, and execution within a single script block to evade detection. The rule analyzes alerts where the rule name contains “PowerShell” and groups them by ScriptBlock ID. A high count of distinct rule names associated with a single ScriptBlock ID indicates a higher likelihood of malicious behavior, suggesting that the script block is exhibiting multiple suspicious characteristics. This aggregated approach aims to detect sophisticated PowerShell attacks that might otherwise evade individual rule detections. The original rule was created on 2025-04-16 and last updated on 2026-05-01.

Attack Chain

1. An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.
2. The attacker executes a PowerShell script containing obfuscated or encoded commands to evade initial detection.
3. The script utilizes techniques to decode or deobfuscate malicious code within the same ScriptBlock ID.
4. The decoded script downloads additional payloads or tools from a remote server.
5. The script executes the downloaded payloads, potentially performing actions such as reconnaissance, privilege escalation, or credential theft.
6. The script attempts to establish persistence on the system, such as by creating scheduled tasks or modifying registry keys.
7. The script may attempt to disable or evade security controls.
8. The attacker achieves their final objective, such as data exfiltration or deploying ransomware.

Impact

A successful attack can lead to the compromise of sensitive data, system disruption, and potential financial loss. The rule aims to detect sophisticated PowerShell attacks that might otherwise evade individual rule detections. By correlating multiple distinct PowerShell detections via the same ScriptBlock ID, the rule increases the likelihood of detecting malicious activity. Without this detection, organizations may be vulnerable to advanced PowerShell-based attacks.

Recommendation

• Deploy the Sigma rule “Detect High Count of PowerShell Alerts for Single ScriptBlock ID” to your SIEM and tune the threshold for your environment.
• Enable PowerShell script block logging (Event ID 4104) to ensure that the ScriptBlock ID is available in the logs.
• Investigate any alerts generated by the Sigma rule, focusing on the contributing alerts and the reconstructed PowerShell script block.
• Review and harden PowerShell execution policies to prevent unauthorized script execution.
• Consider implementing application control to restrict the execution of unsigned or untrusted PowerShell scripts.
• Use the “Alerts associated with the user” and “Alerts associated with the host” transforms to investigate related alerts from the same user and host.