PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.
|Technique||Tactic||Level of Coverage|
Look for versions of PowerShell that were not launched interactively.
process = search Process:Create powershell = filter process where (exe == "powershell.exe" AND parent_exe != "explorer.exe" ) output powershell
Powershell can be used to hide monitored command line execution such as
Data Model References