New

The executive guide to generative AI

Read more

Suspicious Portable Executable Encoded in Powershell Script

edit

Suspicious Portable Executable Encoded in Powershell Script

edit

Detects the presence of portable executables (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts for injecting them into the memory, avoiding defenses by not writing to disk.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Execution

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
event.category:process and
  powershell.file.script_block_text : (
    TVqQAAMAAAAEAAAA
  )

Framework: MITRE ATT&CKTM

On this page

Was this helpful?
Feedback