Signature-based threat detection helps to timely detect malicious behavior. This blog post shows that during an exemplary cyber attack, 99.99% of alerts generated using the well-known Sigma rules can be successfully evaded using fairly straight-forward techniques.

Sigma offers more than 3000 rules for signature-based threat detection. 140 of these rules aim to detect suspicious/malicious PowerShell scripts by looking into PowerShell script block logs. Fragmentation of script blocks during Script Block Logging results in varying number of alerts when loading the same script multiple times. On the one hand, there is a trend of more alerts being generated when the script is split into more fragments (which is fine), but on the other hand, the fragmentation of scripts into blocks may result in missed detections.