certain kinds of security testing may trigger this alert. powershell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert.

t1059
ml
elastic

Techniques

T1059

Sample rules

Suspicious Powershell Script

source: elastic
technicques:
- T1059

Description

A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.

LoFP / certain kinds of security testing may trigger this alert. powershell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert.

Techniques

Sample rules

Suspicious Powershell Script

Description

Detection logic