PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.

ATT&CK Detection

Technique Tactic Level of Coverage
PowerShell Defense Evasion High
Scripting Defense Evasion Moderate

Pseudocode

Look for versions of PowerShell that were not launched interactively.

process = search Process:Create
powershell = filter process where (exe == "powershell.exe" AND parent_exe != "explorer.exe" )
output powershell

Additional Notes:

Powershell can be used to hide monitored command line execution such as

  • net use
  • sc start

Data Model References

Object Action Field
process create exe
process create parent_exe