Rules Contributing to Encoded PowerShell Alert Type

The following rules are used to identify a Windows host executed an encoded PowerShell script. Any one or more of these will trigger the Encoded PowerShell Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Encoded PowerShell

A Windows host executed an encoded PowerShell script. Investigate the script contents to see if it is malicious. If so, consider quarantining the host.

More details

Rule ID

threat_encoded_powershell

Query

{'selection1': {'detection_flag': [2100, 2101]}, 'condition': 'selection1'}

Detection Flag

Note: detection_flag is a Stellar enriched field.

2100: Encoded PowerShell
2101: Encoded PowerShell with hidden flag

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0002, T1059

References

N/A

Severity

Suppression Logic Based On

srcip
detection_flag
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2018/12/01	critical	N/A