PowerShell Suspicious Payload Encoded and Compressed

This detection identifies PowerShell scripts leveraging a combination of Base64 encoding and .NET compression techniques (Deflate/GZip) to conceal malicious payloads. Attackers employ this method to bypass security measures by deobfuscating and reconstructing the payload directly in memory. This technique allows adversaries to evade detection mechanisms that rely on static analysis of script content. The rule focuses on identifying script block content exhibiting this behavior, providing defenders with visibility into potential defense evasion attempts within their Windows environments. This rule was last updated on 2026-05-04, and its initial version was created on 2021/10/19.

Attack Chain

1. An attacker gains initial access through methods like phishing or exploiting a vulnerability.
2. A PowerShell script is executed on the target system, potentially through a compromised user account.
3. The PowerShell script contains a Base64 encoded string representing a compressed payload.
4. The script uses the FromBase64String function to decode the Base64 encoded string.
5. The script decompresses the decoded data using .NET compression classes like System.IO.Compression.DeflateStream or System.IO.Compression.GzipStream.
6. The decompressed data reveals a malicious payload, such as a reverse shell or credential theft tool.
7. The script executes the payload in memory, bypassing traditional file-based detection methods.
8. The attacker achieves their objective, such as gaining persistent access, stealing data, or deploying ransomware.

Impact

Successful exploitation can lead to complete system compromise, data theft, and deployment of malware such as ransomware. The obfuscation techniques make detection more difficult, increasing the dwell time of attackers within the network. Windows systems are primarily affected. If Windows Defender Advanced Threat Protection is being used, this can evade its protection.

Recommendation

• Enable PowerShell Script Block Logging to capture the necessary events for detection (related to the logsource in the rules below).
• Deploy the Sigma rule “PowerShell Suspicious Payload Encoded and Compressed” to your SIEM and tune it for your environment.
• Investigate any alerts generated by the rule, focusing on the reconstructed script block content.
• Review PowerShell execution policies to restrict the execution of unsigned or untrusted scripts.
• Monitor process telemetry for PowerShell instances and their parent processes.
• Restrict PowerShell execution to trusted administrative paths where feasible.