{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-intune-management-extension/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Intune Management Extension","Azure AD Connect Health Agent","Windows Defender Advanced Threat Protection"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","powershell","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently employ PowerShell obfuscation techniques to evade detection and hinder analysis. These techniques involve encoding, encrypting, or compressing PowerShell scripts to mask their true intent. This detection identifies PowerShell script blocks exhibiting high entropy and non-uniform character distributions, statistical characteristics often associated with obfuscated content. The rule specifically targets script blocks longer than 1000 characters with entropy bits \u0026gt;= 5.5 and surprisal standard deviation \u0026gt; 0.7. This detection is designed to highlight potentially malicious PowerShell activity that warrants further investigation by security analysts and incident responders. This rule was created by Elastic and last updated on May 4, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., via phishing or exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages PowerShell, a built-in Windows scripting language, to execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker uses obfuscation techniques (encoding, encryption, compression) to disguise the PowerShell script\u0026rsquo;s true intent.\u003c/li\u003e\n\u003cli\u003eThe obfuscated script is executed, bypassing basic signature-based detections.\u003c/li\u003e\n\u003cli\u003eThe script may download and execute additional payloads or establish persistence.\u003c/li\u003e\n\u003cli\u003eThe script performs malicious actions such as data exfiltration, lateral movement, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using obfuscated PowerShell can lead to various negative impacts, including data breaches, system compromise, and disruption of services. The low severity reflects the need for further analysis to confirm malicious intent, given potential false positives from legitimate encoded scripts. While the exact number of affected systems and sectors is unknown, the widespread use of PowerShell makes this a potentially significant threat across many organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to generate the necessary events (4104) as outlined in the setup instructions: \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003ehttps://ela.st/powershell-logging-setup\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune the thresholds (\u003ccode\u003epowershell.file.script_block_length\u003c/code\u003e, \u003ccode\u003epowershell.file.script_block_entropy_bits\u003c/code\u003e, \u003ccode\u003epowershell.file.script_block_surprisal_stdev\u003c/code\u003e) based on your environment\u0026rsquo;s baseline.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule, focusing on execution context (\u003ccode\u003euser.name\u003c/code\u003e, \u003ccode\u003ehost.name\u003c/code\u003e), script provenance (\u003ccode\u003efile.path\u003c/code\u003e), and reconstructed script content (\u003ccode\u003epowershell.file.script_block_text\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview the investigation guide within the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section for detailed triage and analysis steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:49:36Z","date_published":"2026-05-04T14:49:36Z","id":"/briefs/2026-06-high-entropy-powershell/","summary":"This detection identifies potentially obfuscated PowerShell scripts based on high entropy and non-uniform character distributions, often used by attackers to evade signature-based detections and hinder analysis.","title":"Potential PowerShell Obfuscated Script via High Entropy","url":"https://feed.craftedsignal.io/briefs/2026-06-high-entropy-powershell/"}],"language":"en","title":"CraftedSignal Threat Feed — Microsoft Intune Management Extension","version":"https://jsonfeed.org/version/1.1"}