Azure AD Connect Health Agent — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/azure-ad-connect-health-agent/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 14:49:36 +0000Potential PowerShell Obfuscated Script via High Entropyhttps://feed.craftedsignal.io/briefs/2026-06-high-entropy-powershell/Mon, 04 May 2026 14:49:36 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-06-high-entropy-powershell/This detection identifies potentially obfuscated PowerShell scripts based on high entropy and non-uniform character distributions, often used by attackers to evade signature-based detections and hinder analysis.Attackers frequently employ PowerShell obfuscation techniques to evade detection and hinder analysis. These techniques involve encoding, encrypting, or compressing PowerShell scripts to mask their true intent. This detection identifies PowerShell script blocks exhibiting high entropy and non-uniform character distributions, statistical characteristics often associated with obfuscated content. The rule specifically targets script blocks longer than 1000 characters with entropy bits >= 5.5 and surprisal standard deviation > 0.7. This detection is designed to highlight potentially malicious PowerShell activity that warrants further investigation by security analysts and incident responders. This rule was created by Elastic and last updated on May 4, 2026.

Attack Chain

  1. An attacker gains initial access to a system (e.g., via phishing or exploit).
  2. The attacker leverages PowerShell, a built-in Windows scripting language, to execute malicious commands.
  3. The attacker uses obfuscation techniques (encoding, encryption, compression) to disguise the PowerShell script’s true intent.
  4. The obfuscated script is executed, bypassing basic signature-based detections.
  5. The script may download and execute additional payloads or establish persistence.
  6. The script performs malicious actions such as data exfiltration, lateral movement, or system compromise.

Impact

A successful attack using obfuscated PowerShell can lead to various negative impacts, including data breaches, system compromise, and disruption of services. The low severity reflects the need for further analysis to confirm malicious intent, given potential false positives from legitimate encoded scripts. While the exact number of affected systems and sectors is unknown, the widespread use of PowerShell makes this a potentially significant threat across many organizations.

Recommendation

  • Enable PowerShell Script Block Logging to generate the necessary events (4104) as outlined in the setup instructions: https://ela.st/powershell-logging-setup.
  • Deploy the provided Sigma rule to your SIEM and tune the thresholds (powershell.file.script_block_length, powershell.file.script_block_entropy_bits, powershell.file.script_block_surprisal_stdev) based on your environment’s baseline.
  • Investigate alerts generated by the Sigma rule, focusing on execution context (user.name, host.name), script provenance (file.path), and reconstructed script content (powershell.file.script_block_text).
  • Review the investigation guide within the rule’s note section for detailed triage and analysis steps.
]]>lowadvisorydefense-evasionpowershellobfuscation