PowerView is evil, but PowerVi and ew are legit, right? - Missing signature-based detections due to PowerShell Script Block Logging Fragmentation
Sigma
offers more than 3000 rules for signature-based threat detection. 140 of these rules aim to detect suspicious/malicious PowerShell scripts by looking into PowerShell script block logs. Fragmentation of script blocks during Script Block Logging results in varying number of alerts when loading the same script multiple times. On the one hand, there is a trend of more alerts being generated when the script is split into more fragments (which is fine), but on the other hand, the fragmentation of scripts into blocks may result in missed detections.
8 minutes to read
Louis Hackländer-Jansen