legitimate powershell scripts which makes use of compression and encoding.

t1027
t1059
t1140
windows
elastic

Techniques

T1027
T1059
T1140

Sample rules

PowerShell Suspicious Payload Encoded and Compressed

source: elastic
technicques:
- T1027
- T1059
- T1140

Description

Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.

Detection logic

event.category:process and host.os.type:windows and
  powershell.file.script_block_text : (
    (
      "System.IO.Compression.DeflateStream" or
      "System.IO.Compression.GzipStream" or
      "IO.Compression.DeflateStream" or
      "IO.Compression.GzipStream"
    ) and
    FromBase64String
  ) and
  not user.id : "S-1-5-18"