I am trying to write a KQL to detect malicious powershell scripts created by a bad actor and be notified when those scripts are executed. What are the attributes that would be identified as a malicious script? What are the key differences between operating system powershell scripts and third party scripts and would these information be useful for spotting the bad ones?
This is a pretty tall order! If we could write a KQL query to detect malicious powershell, the world would be a very different place. The problem is there aren't any of the key differences you are looking for. There are a few things to look for which can help narrow the field, but the results are still going to be very false positive prone. File origin and location can help to a point, native scripts might be in c:\windows and malicious might be in %temp%. But there are app installers and other tools that use powershell and also put their scripts in %temp%. Some aspects of the command line can be indicative, such as -Hidden or -Version, but legit scripts sometimes use those also.
One thing you might want to try is the 'obfuscated scripts' ASR rule, I don't know how effective that is though I am just looking into that now.