legitimate large or encoded powershell scripts (automation frameworks, installers, or admin tooling) can exhibit high entropy or uneven character distributions.

t1027
t1059
t1140
windows
elastic

Techniques

T1027
T1059
T1140

Sample rules

Potential PowerShell Obfuscated Script via High Entropy

source: elastic
technicques:
- T1027
- T1059
- T1140

Description

Identifies PowerShell script blocks with high entropy and non-uniform character distributions. Attackers may obfuscate PowerShell scripts using encoding, encryption, or compression techniques to evade signature-based detections and hinder manual analysis by security analysts.

Detection logic

event.category:process and host.os.type:windows and powershell.file.script_block_length > 1000 and
  powershell.file.script_block_entropy_bits >= 5.3 and powershell.file.script_block_surprisal_stdev > 0.7 and
  not file.directory: "C:\Program Files (x86)\Microsoft Intune Management Extension\Content\DetectionScripts"