kqlElastic-2.0from elastic/detection-rules
Potential PowerShell Obfuscated Script via High Entropy
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/windows/defense_evasion_posh_high_entropy.toml
event.category:process and host.os.type:windows and powershell.file.script_block_length > 1000 and
powershell.file.script_block_entropy_bits >= 5.5 and powershell.file.script_block_surprisal_stdev > 0.7 and
not file.directory: (
"C:\Program Files (x86)\Microsoft Intune Management Extension\Content\DetectionScripts" or
"C:\Program Files\Microsoft Azure AD Connect Health Agent\Products\AdFederationService\AdfsDiagnostics\AdfsToolbox\diagnosticsModule\Private"
)