Techniques
Sample rules
Powershell Processing Stream Of Data
- source: splunk
- technicques:
- T1059
- T1059.001
Description
The following analytic detects suspicious PowerShell script execution involving compressed stream data processing, identified via EventCode 4104. It leverages PowerShell Script Block Logging to flag scripts using IO.Compression, IO.StreamReader, or decompression methods. This activity is significant as it often indicates obfuscated PowerShell or embedded .NET/binary execution, which are common tactics for evading detection. If confirmed malicious, this behavior could allow attackers to execute hidden code, escalate privileges, or maintain persistence within the environment.
Detection logic
`powershell` EventCode=4104 ScriptBlockText = "*IO.Compression.*" OR ScriptBlockText = "*IO.StreamReader*" OR ScriptBlockText = "*]::Decompress*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_processing_stream_of_data_filter`