[Rule Tuning] Potential PowerShell Obfuscated Script #5374
Description
Link to Rule
Rule Tuning Type
False Positives - Reducing benign events mistakenly identified as threats.
Description
False positive on scripts used by Windows Defender in the protected folder C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads
Example Data
Alert data
_id: ed39cc667a9c3c86ad6c5ef41e695c2021e6c5d3b6d73edf69d9029885af2bbc
_index: .internal.alerts-security.alerts-default-000006
_score: 1
fields:
'@timestamp':
- '2025-11-26T12:52:58.291Z'
agent.ephemeral_id:
- 41d4ea12-a1ec-49b3-a20e-cdb41784de07
agent.name:
- <redcated>
data_stream.dataset:
- windows.powershell_operational
data_stream.namespace:
- workstations
elastic_agent.id:
- 1d04cd1a-e078-4654-ab59-5ad5fc87bde9
elastic_agent.snapshot:
- false
elastic_agent.version:
- 9.2.1
event.action:
- Execute a Remote Command
event.category:
- process
event.code:
- '4104'
event.created:
- '2025-11-26T12:50:44.200Z'
event.dataset:
- windows.powershell_operational
event.ingested:
- '2025-11-26T12:50:50.000Z'
event.provider:
- Microsoft-Windows-PowerShell
file.directory:
- C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads
file.extension:
- ps1
file.name:
- PSScript_{66D3BAD7-3732-483F-A3C8-AF6A7AB42D51}.ps1
file.path:
- C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{66D3BAD7-3732-483F-A3C8-AF6A7AB42D51}.ps1
file.path.text:
- C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{66D3BAD7-3732-483F-A3C8-AF6A7AB42D51}.ps1
host.architecture:
- x86_64
host.hostname:
- <redcated>
host.id:
- 9166ad80-6931-4462-80a3-a58aee14b5a1
host.ip:
- fe80::e8dd:b628:1971:77ee
- 10.21.30.161
- fe80::e9d2:efe5:50f5:2ba7
- 169.254.181.233
- fe80::2df7:cdc4:143:702d
- 169.254.223.116
- fe80::62ce:b616:b249:ca10
- 172.18.192.1
- fe80::e94d:c767:fc8d:2b2d
- 10.0.10.47
- fe80::76af:2b94:e7d6:aae5
- 169.254.1.218
- fe80::9c0c:6cbf:800e:78a8
- 169.254.94.90
- fe80::16cc:c38f:a96d:3c6d
- 169.254.212.90
- fe80::8bf4:dcad:b74b:6c2c
- 169.254.47.244
- fe80::e081:5886:f2fd:38d2
- 172.23.224.1
host.mac:
- 00-15-5D-A8-0E-A2
- 00-15-5D-D3-40-B1
- 04-7B-CB-CA-CA-22
- 04-7B-CB-CA-CA-23
- 06-7B-CB-CA-CA-22
- 16-7B-CB-CA-CA-22
- 26-7B-CB-CA-CA-22
- 54-72-70-C7-AB-05
- F4-A8-0D-0C-D9-0B
- FC-5C-EE-22-5E-AC
host.name:
- <redcated>
host.os.build:
- '26100.7171'
host.os.family:
- windows
host.os.kernel:
- 10.0.26100.7171 (WinBuild.160101.0800)
host.os.name:
- Windows 11 Enterprise
host.os.name.text:
- Windows 11 Enterprise
host.os.platform:
- windows
host.os.type:
- windows
host.os.version:
- '10.0'
input.type:
- winlog
log.level:
- warning
message:
- "Creating Scriptblock text (2 of 37):\nject -Last 1).Certificate.Thumbprint\n\
\ if ($rootCertThumbprint -ne $ExpectedRootCertThumbprint)\n {\n\
\ Write-Error \"Unexpected root certificate\"\n if (!$ExpectedLeafCertThumbprints.Contains($Certificate.Thumbprint))\n\
\ {\n $errorMessage = -join(\"Unexpected base certificate:\
\ \", $Certificate.Thumbprint, \":\", $Certificate.Subject)\n Write-Error\
\ $errorMessage\n Write-ScriptErrors -ExitCode 1012\n \
\ }\n }\n }\n catch \n {\n Write-Error \"Exception was\
\ thrown during signature check\"\n Write-ScriptErrors -ExitCode 1011\n\
\ }\n}\n\nfunction Write-Telemetry\n{\n param([string]$TelemetryDataAsJson,\n\
\ [string]$ProviderName = \"UnicastScannerTelemetry\")\n\n $TelemetryData\
\ = $TelemetryDataAsJson | ConvertFrom-Json\n $TelemetryData | Add-Member -NotePropertyName\
\ \"ScannedDeviceId\" -NotePropertyValue $ScannedDeviceId\n $TelemetryData\
\ | Add-Member -NotePropertyName \"MachineId\" -NotePropertyValue $MachineId\n\
\ $TelemetryData | Add-Member -NotePropertyName \"ScriptGuid\" -NotePropertyValue\
\ $Guid\n $TelemetryData | Add-Member -NotePropertyName \"ScriptVersion\" -NotePropertyValue\
\ $ScriptVersion\n $TelemetryData | Add-Member -NotePropertyName \"ScriptName\"\
\ -NotePropertyValue $ScriptName\n\n $TelemetryDataAsJson = $TelemetryData\
\ | ConvertTo-Json\n\n $NdrTelemetriesEvent = New-Object \"NdrScannerTelemetriesEvent\"\
\ -Property @{\n TelemetryTimestamp = $(Get-Date).ToFileTime()\n \
\ TelemetryName = $ProviderName\n TelemetriesInfoAsJson = $TelemetryDataAsJson\n\
\ }\n\n $global:EtwProvider.Write(\"NdrScannerTelemetriesEvent\",$NdrTelemetriesEvent)\n\
}\n\nfunction Check-LowPrivilege()\n{\n $Identity = [Security.Principal.WindowsIdentity]::GetCurrent()\n\
\ $currentPrincipal = New-Object Security.Principal.WindowsPrincipal($Identity)\n\
\ $SID = $Identity.User.Value\n $ValidUsers = @(\"S-1-5-19\",\"S-1-5-20\"\
)\n \n #Check that process is not elevated\n if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))\n\
\ {\n return $false;\n }\n\n #lookup if valid user runs this script\n\
\ return $($ValidUsers -contains $SID)\n}\n\nfunction Unelevate-Process\n{\n\
\ param([string]$ScriptPath,[string]$ScriptArgs)\n $ExitError = \"\"\n \
\ if((Test-Path $ScriptPath) -eq $false)\n {\n return \"Cannot find\
\ script path\"\n }\n $ProcessCreator = [CreateProcess]\n $LogonToken\
\ = [IntPtr]::Zero\n $LocalServiceToken = [IntPtr]::Zero\n $EnvBlock = [IntPtr]::Zero\n\
\ $RestrictedToken = [IntPtr]::Zero\n $ProcessId = 0\n $PowershellPath\
\ = Join-Path $PsHome \"powershell.exe\"\n $PowershellPathWithArgs = $PowershellPath\
\ + \" -ExecutionPolicy Bypass -NoProfile -NonInteractive -File \" + \"`\"$ScriptPath`\"\
\" + \" \" + $ScriptArgs\n $LocalServiceSID = \"S-1-5-19\"\n $LocalServiceProfilePath\
\ = Get-WmiObject Win32_UserProfile | Where-Object {$_.SID -EQ \"S-1-5-19\"} |\
\ Select-Object -ExpandProperty LocalPath\n\n if(!$ProcessCreator::Logon([ref]$LogonToken))\n\
\ {\n $ExitError = \"Failed on creating LocalService Token Error:$([System.Runtime.InteropServices.marshal]::GetLastWin32Error())\"\
\n }\n elseif(!$ProcessCreator::CreatePrimaryToken($LogonToken, [ref]$LocalServiceToken))\n\
\ {\n $ExitError = \"Failed on creating Primery Token from logon Token\
\ Error:$([System.Runtime.InteropServices.marshal]::GetLastWin32Error())\"\n \
\ }\n elseif(!$ProcessCreator::RemovePrivilegesFromToken($LocalServiceToken,\
\ [ref]$RestrictedToken))\n {\n $ExitError = \"Failed to create restricted\
\ Token Error:$([System.Runtime.InteropServices.marshal]::GetLastWin32Error())\"\
\n }\n elseif(!$ProcessCreator::CreateEnv($RestrictedToken, [ref]$EnvBlock))\n\
\ {\n $ExitError = \"Failed on creating Evironment Block Error:$([System.Runtime.InteropServices.marshal]::GetLastWin32Error())\"\
\n }\n if([string]::IsNullOrEmpty($ExitError))\n {\n $ProcessId\
\ = $ProcessCreator::CreateNewProcess($RestrictedToken, $PowershellPath, $EnvBlock,\
\ $LocalServiceProfilePath, $PowershellPathWithArgs)\n if($ProcessId -eq\
\ 0)\n {\n $ExitError = \"Failed on creating Process with TokenError:$([System.Runtime.InteropServices.marshal]::GetLastWin32Error())\"\
\n }\n }\n\n #Delete all unnecessary handles\n [void]$ProcessCreator::CloseHandles(@($LogonToken,$LocalServiceToken,$RestrictedToken))\n\
\ if($EnvBlock -ne [IntPtr]::Zero)\n {\n [void]$ProcessCreator::DestroyEnvironmentBlock($EnvBlock)\n\
\ }\n\n if(![string]::IsNullOrEmpty($ExitError))\n {\n Write-Error\
\ \"Create process returned Error: $ExitError\"\n }\n\n return $ProcessId\n\
}\n\nfunction Add-PermissionsToFile()\n{\n param([string[]]$Paths)\n\n $Sid\
\ = New-Object System.Security.Principal.SecurityIdentifier(\"S-1-5-19\")\n \
\ $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Sid,\"\
ReadAndExecute\",\"Allow\")\n foreach($file in $Paths)\n {\n $acl\
\ = Get-Acl $file\n [void]$acl.AddAccessRule($AccessRule)\n Set-Acl\
\ $file -AclObject $acl\n }\n}\n\nfunction Remove-PermissionsToFile()\n{\n\
\ param([string[]]$Paths)\n\n $Sid = New-Object System.Security.Principal.SecurityIdentifier(\"\
S-1-5-19\")\n $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Sid,\"\
ReadAndExecute\",\"Allow\")\n foreach($file in $Paths)\n {\n $acl\
\ = Get-Acl $file\n [void]$acl.RemoveAccessRule($AccessRule)\n Set-Acl\
\ $file -AclObject $acl\n }\n}\n\n$Utils =@\"\nusing System;\nusing System.Collections.Generic;\n\
using System.Runtime.InteropServices;\n\npublic static class VpnDetector\n{\n\
\ const int RAS_MaxEntryName = 256;\n const int RAS_MaxDeviceType = 16;\n\
\ const int RAS_MaxDeviceName = 128;\n const int MAX_PATH = 260;\n const\
\ int ERROR_BUFFER_TOO_SMALL = 603;\n const int ERROR_SUCCESS = 0;\n\n [DllImport(\"\
rasapi32.dll\", SetLastError = true, CharSet = CharSet.Auto)]\n private static\
\ extern int RasEnumConnections(\n [In, Out] RASCONN[] rasconn,\n [In, Out]\
\ ref int cb,\n [Out] out int connections);\n\n [StructLayout(LayoutKind.Sequential,\
\ Pack = 4, CharSet = CharSet.Auto)]\n private struct RASCONN\n {\n \
\ public int dwSize;\n public IntPtr hrasconn;\n [MarshalAs(UnmanagedType.ByValTStr,\
\ SizeConst = RAS_MaxEntryName)]\n public string szEntryName;\n \
\ [MarshalAs(UnmanagedType.ByValTStr, SizeConst = RAS_MaxDeviceType)]\n \
\ public string szDeviceType;\n [MarshalAs(UnmanagedType.ByValTStr, SizeConst\
\ = RAS_MaxDeviceName)]\n public string szDeviceName;\n [MarshalAs(UnmanagedType.ByValTStr,\
\ SizeConst = MAX_PATH)]\n public string szPhonebook;\n public int\
\ dwSubEntry;\n public Guid guidEntry;\n public int dwFlags;\n \
\ public Guid luid;\n }\n\n public static List<string> CurrentConnections()\n\
\ {\n RASCONN[] connections = new RASCONN[5];\n List<string>\
\ adapterNames = new List<string>();\n connections[0].dwSize = Marshal.SizeOf(typeof(RASCONN));\n\
\ int connectionsCount = 0;\n int cb = Marshal.SizeOf(typeof(RASCONN));\n\
\ int nRet = RasEnumConnections(connections, ref cb, out connectionsCount);\n\
\ if (nRet != ERROR_SUCCESS && nRet != ERROR_BUFFER_TOO_SMALL)\n \
\ {\n return adapterNames;\n }\n\n for (int i = 0; i\
\ < connectionsCount; i++)\n {\n adapterNames.Add(connections[i].szEntryName);\n\
\ }\n return adapterNames;\n }\n}\n\"@\n\n$EtwWriter = @\"\n\
using System;\nusing System.Text;\nusing System.Diagnostics.Tracing;\nusing Microsoft.PowerShell.Commands;\n\
\n[EventSource(Name = \"Microsoft.Windows.NdrScanner\", Guid = \"a4bfed93-f051-4c33-a524-8ccc50d0dd2b\"\
)]\npublic sealed class NdrEventSource : EventSource\n{\n public NdrEventSource()\
\ : base(EventSourceSettings.EtwSelfDescribingEventFormat | EventSourceSettings.ThrowOnEventWriteErrors)\
\ { }\n}\n\n[EventSource(Name = \"Microsoft.Windows.Sense.CollectionEtw\")]\n\
public sealed class SenseEventSource : EventSource\n{\n public SenseEventSource()\
\ : base(EventSourceSettings.EtwSelfDescribingEventFormat | EventSourceSettings.ThrowOnEventWriteErrors)\
\ { }\n}\n\n[EventData]\npublic class FilterDomainEvent\n{\n public string\
\ EnvUserDomain { get; set; }\n public string EnvUserDnsDomain { get; set;\
\ }\n public string IpInfo { get; set; }\n public string NetConnections\
\ { get; set; }\n public string CorpDomain {get; set;}\n public string ParsedCorpDomain\
\ { get; set; }\n public int PartOfDomain { get; set; }\n public int NumOfInterfacesInCorp\
\ { get; set; }\n public string ArpTable { get; set; }\n public int NumOfArpEntriesInCorp\
\ { get; set; }\n public string ExitReason { get; set; }\n}\n\n[EventData]\n\
public class NdrScannerBannerGrabEvent\n{\n public string ProbeType { get;\
\ set; }\n public string Ip { get; set; }\n public string Mac { get; set;\
\ }\n public string Banner { get; set; }\n}\n\n[EventData]\npublic class NdrScannerHostDiscoveryEvent\n\
{\n public string ProbeType { get; set; }\n public string Ip { get; set;\
\ }\n public string Mac { get; set; }\n public string Hostname { get; set;\
\ }\n public string Domain { get; set; }\n}\n\n[EventData]\npublic class NdrScannerIcmpEvent\n\
{\n public string Ip { get; set; }\n public string Mac { get; set; }\n \
\ public UInt32 TTL { get; set; }\n}\n\n[EventData]\npublic class NdrScannerPortScanEvent\n\
{\n public string PortsMap { get; set; }\n public string Ip { get; set;\
\ }\n public string Mac { get; set; }\n}\n\n[EventData]\npublic class SipDiscoveryNdrScannerEvent\n\
{\n public string UserAgent { get; set; }\n public string ServerHeader {\
\ get; set; }\n public string Capabilities { get; set; }\n public string\
\ Ip { get; set; }\n public string Mac { get; set; }\n public UInt16 Protocol\
\ { get; set; }\n public string CertIssuer { get; set; }\n public string\
\ CertSubject { get; set; }\n}\n\n[EventData]\npublic class NdrScannerHttpProbeEvent\n\
{\n public string Ip { get; set; }\n public string Mac { get; set; }\n \
\ public string RequestUrl { get; set; }\n public string IconMD5 { get; set;\
\ }\n public string LastModified { get; set; }\n public string ResponseUrl\
\ { get; set; }\n public string Certificates { get; set; }\n public string\
\ Cookies { get; set; }\n public string Title { get; set; }\n public string\
\ Headers { get; set; }\n public string CipherSuites { get; set; }\n public\
\ string IconUrl { get; set; }\n public string AdditionalInfo { get; set; }\n\
}\n\n[EventData]\npublic class NetworkDiscoveryEvent\n{\n public string ProbeType\
\ {get; set;}\n public string Ip { get; set; }\n public string DestinationIp\
\ { get; set; } \n public int Ttl { get; set; }\n public string Hostname\
\ { get; set; }\n public string ServiceType { get; set; }\n public string\
\ Mac { get; set; }\n public string Banner { get; set; }\n public int CPU\
\ { get; set; }\n}\n\n[EventData]\npublic class UPnPNdrScannerEvent\n{\n public\
\ string Mac { get; set; }\n public string Ip { get; set; }\n public string\
\ UniqueDeviceName { get; set; }\n public string FriendlyName { get; set; }\n\
\ public string Type { get; set; }\n public string ManufacturerName { get;\
\ set; }\n public string ModelName { get; set; }\n public string ModelNumber\
\ { get; set; }\n public string Description { get; set; }\n public string\
\ SerialNumber { get; set; }\n public string ServerHeader { get; set; }\n \
\ public string PresentationURL { get; set; }\n public string ManufacturerURL\
\ { get; set; }\n public string ModelURL { get; set; }\n public string UPC\
\ { get; set; }\n public string Services { get; set; }\n public string IconURL\
\ { get; set; }\n}\n\n[EventData]\npublic class WsDiscoveryNdrScannerEvent\n{\n\
\ public string SrcMAC { get; set; }\n public string SrcIp { get; set; }\n\
\ public UInt16 XmlLength { get; set; }\n public string RelatesTo { get;\
\ set; }\n public string MessageId { get; set; }\n public string XmlAttributes\
\ { get; set; }\n public string XmlScopes { get; set; }\n public string\
\ XmlAction { get; set; }\n public string XmlTypes { get; set; }\n public\
\ string XmlXaddrs { get; set; }\n}\n\n[EventData]\npublic class mDnsNdrScannerEvent\n\
{\n public string SourceIp { get; set; }\n public UInt16 TransactionID {\
\ get; set; }\n public string PacketID { get; set; }\n public string SourceMac\
\ { get; set; }\n public string ResourceName { get; set; }\n public string\
\ ResourceData { get; set; }\n public UInt16 RRType { get; set; }\n public\
\ UInt16 RRClass { get; set; }\n public string RRSection { get; set; }\n}\n\
\n[EventData]\npublic class NdrScannerTelemetriesEvent\n{\n public UInt64 TelemetryTimestamp\
\ { get; set; }\n public string TelemetryName { get; set; }\n public string\
\ TelemetriesInfoAsJson { get; set; }\n}\n\n[EventData]\npublic class NdrScannerWsdExtensionEvent\n\
{\n public string Mac { get; set; }\n public string Ip { get; set; }\n \
\ public string ServerHeader { get; set; }\n public string ModelName { get;\
\ set; }\n public string ModelNumber { get; set; }\n public string ModelUrl\
\ { get; set; }\n public string FirmwareVersion { get; set; }\n public string\
\ SerialNumber { get; set; }\n public string Manufacturer { get; set; }\n \
\ public string ManufacturerUrl { get; set; }\n public string DeviceCategory\
\ { get; set; }\n public string Types { get; set; }\n public string FriendlyName\
\ { get; set; }\n public string Name { get; set; }\n}\n\n[EventData]\npublic\
\ class NdrScannerIppEvent\n{\n public string Mac { get; set; }\n public\
\ string Ip { get; set; }\n public string ServerHeader { get; set; }\n public\
\ string PrinterDeviceId { get; set; }\n public string PrinterName { get; set;\
\ }\n public string PrinterInfo { get; set; }\n public string PrinterMakeAndModel\
\ { get; set; }\n public string FirmwareVersion { get; set; }\n public string\
\ PrinterUUID { get; set; }\n}\n\n[EventData]\npublic class NdrScannerSmbEvent\n\
{\n public string Mac { get; set; }\n public string Ip { get; set; }\n \
\ public UInt32 Port { get; set; }\n public UInt32 Dialect { get; set; }\n\
\ public UInt32 ProductMajorVersion { get; set; }\n public UInt32 ProductMinorVersion\
\ { get; set; }\n public UInt32 ProductBuild { get; set; }\n public UInt32\
\ NTLMRevision { get; set; }\n public string TargetInfoAsJson { get; set; }\n\
\ public string MechTypes { get; set; }\n}\n\n[EventData]\npublic class NdrScannerNetBiosEvent\n\
{\n public string Mac { get; set; }\n public string Ip { get; set; }\n \
\ public string Name { get; set; }\n public string Domain { get; set; }\n\
\ public string NetBiosInfoAsJson { get; set; }\n public string UnitId {\
\ get; set; }\n}\n\n[EventData]\npublic class NdrScannerSmbV1Event\n{\n public\
\ string Mac { get; set; }\n public string Ip { get; set; }\n public UInt32\
\ Port { get; set; }\n public string NativeOs { get; set; }\n public string\
\ LanManager { get; set; }\n public string Domain { get; set; }\n}\n\n[EventData]\n\
public class NdrScannerPjlEvent\n{\n public string Mac { get; set; }\n public\
\ string Ip { get; set; }\n public string PjlInfoId { get; set; }\n public\
\ string PjlProdInfoAsJson { get; set; }\n}\n\n[EventData]\npublic class NdrScannerCrestronIPEvent\n\
{\n public string Mac { get; set; }\n public string Ip { get; set; }\n \
\ public string Hostname { get; set; }\n public string Banner { get; set;\
\ }\n public string BannerMac { get; set; }\n}\n\n[EventData]\npublic class\
\ NdrScannerAfpEvent\n{\n public string Mac { get; set; }\n public string\
\ Ip { get; set; }\n public UInt16 Port { get; s\n\nScriptBlock ID: a43dfb73-aef7-4d56-9990-ae3d6fbe9239\n\
Path: C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\\
Downloads\\PSScript_{66D3BAD7-3732-483F-A3C8-AF6A7AB42D51}.ps1"
powershell.file.script_block_hash:
- UxmNENK23Glg5C/cgt7m3unMc0c=
powershell.file.script_block_id:
- a43dfb73-aef7-4d56-9990-ae3d6fbe9239
powershell.sequence:
- 2
powershell.total:
- 37
process.pid:
- 28524
user.id:
- S-1-5-18
winlog.activity_id:
- '{A016D5A3-5E9E-0001-57CF-54A09E5EDC01}'
winlog.channel:
- Microsoft-Windows-PowerShell/Operational
winlog.computer_name:
- <redcated>
winlog.event_id:
- '4104'
winlog.opcode:
- On create calls
winlog.process.pid:
- 28524
winlog.process.thread.id:
- 28204
winlog.provider_guid:
- '{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'
winlog.provider_name:
- Microsoft-Windows-PowerShell
winlog.record_id:
- '3575717'
winlog.task:
- Execute a Remote Command
winlog.user.domain:
- NT AUTHORITY
winlog.user.identifier:
- S-1-5-18
winlog.user.name:
- SYSTEM
winlog.user.type:
- User
winlog.version:
- 1