IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Suspicious Portable Executable Encoded in Powershell Script
editSuspicious Portable Executable Encoded in Powershell Script
editThis rule detects the presence of Portable Executables in a PowerShell Script by Looking for its encoded header. Attackers embed PEs into PowerShell Scripts for Injecting them into the memory, avoiding defenses by not writing to disk.,
Rule type: query
Rule indices:
- winlogbeat-*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Execution
Version: 1
Added (Elastic Stack release): 7.16.0
Rule authors: Elastic
Rule license: Elastic License v2
Rule query
editevent.code:"4104" and powershell.file.script_block_text : ( TVqQAAMAAAAEAAAA )
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/