legitimate powershell scripts which makes use of compression and encoding.

t1027
t1059
t1140
windows
elastic

Techniques

T1027
T1059
T1140

Sample rules

PowerShell Suspicious Payload Encoded and Compressed

source: elastic
technicques:
- T1027
- T1059
- T1140

Description

Identifies PowerShell script block content that combines Base64 decoding with .NET decompression (Deflate/GZip). Attackers use this pattern to deobfuscate and reconstruct payloads in memory to evade defenses.

Detection logic

event.category:process and host.os.type:windows and
  powershell.file.script_block_entropy_bits >= 4.5 and
  powershell.file.script_block_text : (
    (
      "System.IO.Compression.DeflateStream" or
      "System.IO.Compression.GzipStream" or
      "IO.Compression.DeflateStream" or
      "IO.Compression.GzipStream"
    ) and
    FromBase64String
  ) and
  not user.id : "S-1-5-18"