T1059.001 PowerShell Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousPatterns = dynamic([
  "-EncodedCommand", "-enc ", "-e ", "-ec ",
  "Invoke-WebRequest", "IWR ", "Invoke-RestMethod",
  "Net.WebClient", "DownloadString", "DownloadFile", "DownloadData",
  "Start-BitsTransfer",
  "AmsiUtils", "amsiInitFailed", "SetProtectionLevel",
  "Invoke-Expression", "IEX(", "IEX ",
  "-ExecutionPolicy Bypass", "-ep bypass", "-ep unrestricted",
  "-WindowStyle Hidden", "-w hidden", "-windowstyle h",
  "[Convert]::FromBase64String", "[System.Convert]::FromBase64String",
  "Invoke-Mimikatz", "Invoke-Shellcode",
  "New-Object IO.MemoryStream", "IO.Compression",
  "bitsadmin", "certutil -urlcache"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe"
| where ProcessCommandLine has_any (SuspiciousPatterns)
| extend EncodedCmd = ProcessCommandLine has_any ("-EncodedCommand", "-enc ", "-e ", "-ec ")
| extend DownloadCradle = ProcessCommandLine has_any ("Invoke-WebRequest", "Net.WebClient", "DownloadString", "DownloadFile", "IWR ", "Start-BitsTransfer")
| extend AmsiBypass = ProcessCommandLine has_any ("AmsiUtils", "amsiInitFailed", "SetProtectionLevel")
| extend PolicyBypass = ProcessCommandLine has_any ("-ExecutionPolicy Bypass", "-ep bypass")
| extend HiddenWindow = ProcessCommandLine has_any ("-WindowStyle Hidden", "-w hidden")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         EncodedCmd, DownloadCradle, AmsiBypass, PolicyBypass, HiddenWindow
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

System administrators using encoded commands for legitimate automation scripts
Software deployment tools (SCCM, Intune) that use encoded PowerShell for installation scripts
Monitoring agents that use Invoke-WebRequest to check URLs or download updates
IT automation platforms (Ansible WinRM, Chef, Puppet) executing PowerShell remotely

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
| eval CommandLine=lower(CommandLine)
| eval EncodedCmd=if(match(CommandLine, "(-encodedcommand|-enc\s|-e\s|-ec\s)"), 1, 0)
| eval DownloadCradle=if(match(CommandLine, "(invoke-webrequest|iwr\s|net\.webclient|downloadstring|downloadfile|downloaddata|start-bitstransfer|invoke-restmethod)"), 1, 0)
| eval AmsiBypass=if(match(CommandLine, "(amsiutils|amsiinitfailed|setprotectionlevel)"), 1, 0)
| eval PolicyBypass=if(match(CommandLine, "(-executionpolicy\s+bypass|-ep\s+bypass|-ep\s+unrestricted)"), 1, 0)
| eval HiddenWindow=if(match(CommandLine, "(-windowstyle\s+hidden|-w\s+hidden)"), 1, 0)
| eval InvokeExpression=if(match(CommandLine, "(invoke-expression|iex\(|iex\s)"), 1, 0)
| eval SuspicionScore=EncodedCmd + DownloadCradle + AmsiBypass + PolicyBypass + HiddenWindow + InvokeExpression
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, EncodedCmd, DownloadCradle, AmsiBypass, PolicyBypass, HiddenWindow, InvokeExpression, SuspicionScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

System administrators using encoded commands for legitimate automation scripts
Software deployment tools (SCCM, Intune) that use encoded PowerShell for installation scripts
Monitoring agents that use Invoke-WebRequest to check URLs or download updates
IT automation platforms (Ansible WinRM, Chef, Puppet) executing PowerShell remotely

Elastic Security (EQL)

eql

process where event.type == "start"
  and process.name : ("powershell.exe", "pwsh.exe")
  and (
    process.command_line : (
      "*-EncodedCommand*", "*-enc *", "*-e *", "*-ec *",
      "*Invoke-WebRequest*", "*IWR *", "*Invoke-RestMethod*",
      "*Net.WebClient*", "*DownloadString*", "*DownloadFile*", "*DownloadData*",
      "*Start-BitsTransfer*",
      "*AmsiUtils*", "*amsiInitFailed*", "*SetProtectionLevel*",
      "*Invoke-Expression*", "*IEX(*", "*IEX *",
      "*-ExecutionPolicy Bypass*", "*-ep bypass*", "*-ep unrestricted*",
      "*-WindowStyle Hidden*", "*-w hidden*",
      "*FromBase64String*", "*System.Convert*",
      "*Invoke-Mimikatz*", "*Invoke-Shellcode*",
      "*IO.MemoryStream*", "*IO.Compression*",
      "*certutil*-urlcache*", "*bitsadmin*"
    )
  )

high severity high confidence

Data Sources

Elastic Endpoint Security (elastic-agent) Winlogbeat with Sysmon module Elastic Windows integration (Event ID 4688 with command line auditing)

Required Tables

logs-endpoint.events.process-* .ds-logs-windows.sysmon_operational-* winlogbeat-*

False Positives

IT automation tools such as SCCM, Ansible, or PDQ Deploy running encoded PowerShell scripts for legitimate software deployment
Security tooling (CrowdStrike, Carbon Black, Qualys) spawning PowerShell with encoded commands during agent updates or scans
Developer workflows using Invoke-WebRequest or Net.WebClient in CI/CD pipelines pulling build artifacts from internal artifact repositories

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username AS Username,
  devicehostname AS Hostname,
  "Process Name" AS ProcessName,
  "Process CommandLine" AS CommandLine,
  "Parent Process Name" AS ParentProcess,
  CASE
    WHEN LOWER("Process CommandLine") ILIKE '%-encodedcommand%'
      OR LOWER("Process CommandLine") ILIKE '%-enc %'
      OR LOWER("Process CommandLine") ILIKE '%-e %'
      OR LOWER("Process CommandLine") ILIKE '%-ec %'
    THEN 1 ELSE 0 END AS EncodedCmd,
  CASE
    WHEN LOWER("Process CommandLine") ILIKE '%invoke-webrequest%'
      OR LOWER("Process CommandLine") ILIKE '%iwr %'
      OR LOWER("Process CommandLine") ILIKE '%net.webclient%'
      OR LOWER("Process CommandLine") ILIKE '%downloadstring%'
      OR LOWER("Process CommandLine") ILIKE '%downloadfile%'
      OR LOWER("Process CommandLine") ILIKE '%start-bitstransfer%'
    THEN 1 ELSE 0 END AS DownloadCradle,
  CASE
    WHEN LOWER("Process CommandLine") ILIKE '%amsiutils%'
      OR LOWER("Process CommandLine") ILIKE '%amsiinitfailed%'
      OR LOWER("Process CommandLine") ILIKE '%setprotectionlevel%'
    THEN 1 ELSE 0 END AS AmsiBypass,
  CASE
    WHEN LOWER("Process CommandLine") ILIKE '%-executionpolicy bypass%'
      OR LOWER("Process CommandLine") ILIKE '%-ep bypass%'
    THEN 1 ELSE 0 END AS PolicyBypass,
  CASE
    WHEN LOWER("Process CommandLine") ILIKE '%-windowstyle hidden%'
      OR LOWER("Process CommandLine") ILIKE '%-w hidden%'
    THEN 1 ELSE 0 END AS HiddenWindow,
  CASE
    WHEN LOWER("Process CommandLine") ILIKE '%invoke-expression%'
      OR LOWER("Process CommandLine") ILIKE '%iex(%'
    THEN 1 ELSE 0 END AS InvokeExpression
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN (
  'Microsoft Windows Security Event Log',
  'Microsoft Sysmon'
)
AND eventid IN (4688, 1)
AND (LOWER("Process Name") LIKE '%powershell.exe' OR LOWER("Process Name") LIKE '%pwsh.exe')
AND (
  LOWER("Process CommandLine") ILIKE '%-encodedcommand%'
  OR LOWER("Process CommandLine") ILIKE '%-enc %'
  OR LOWER("Process CommandLine") ILIKE '%invoke-webrequest%'
  OR LOWER("Process CommandLine") ILIKE '%net.webclient%'
  OR LOWER("Process CommandLine") ILIKE '%downloadstring%'
  OR LOWER("Process CommandLine") ILIKE '%downloadfile%'
  OR LOWER("Process CommandLine") ILIKE '%downloaddata%'
  OR LOWER("Process CommandLine") ILIKE '%start-bitstransfer%'
  OR LOWER("Process CommandLine") ILIKE '%amsiutils%'
  OR LOWER("Process CommandLine") ILIKE '%amsiinitfailed%'
  OR LOWER("Process CommandLine") ILIKE '%setprotectionlevel%'
  OR LOWER("Process CommandLine") ILIKE '%-executionpolicy bypass%'
  OR LOWER("Process CommandLine") ILIKE '%-ep bypass%'
  OR LOWER("Process CommandLine") ILIKE '%-windowstyle hidden%'
  OR LOWER("Process CommandLine") ILIKE '%-w hidden%'
  OR LOWER("Process CommandLine") ILIKE '%invoke-expression%'
  OR LOWER("Process CommandLine") ILIKE '%iex(%'
  OR LOWER("Process CommandLine") ILIKE '%frombase64string%'
  OR LOWER("Process CommandLine") ILIKE '%invoke-mimikatz%'
  OR LOWER("Process CommandLine") ILIKE '%invoke-shellcode%'
)
LAST 24 HOURS

high severity high confidence

Data Sources

Microsoft Windows Security Event Log (EventID 4688 — requires process command line auditing GPO) Microsoft Sysmon (EventID 1 — Process Create)

Required Tables

events

False Positives

Endpoint management platforms (e.g., SCCM, Intune) that routinely invoke PowerShell with -EncodedCommand for policy enforcement scripts
Vulnerability scanners (e.g., Tenable, Qualys) executing PowerShell-based WMI queries that include Net.WebClient-style patterns
Build servers and CI agents (Jenkins, TeamCity, Azure DevOps) pulling scripts or artifacts via Invoke-WebRequest during pipeline execution

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| where EventID in ("4688", "1")
| where (
    (EventID = "4688" AND (NewProcessName matches "*\\powershell.exe" OR NewProcessName matches "*\\pwsh.exe"))
    OR
    (EventID = "1" AND (Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe"))
  )
| if (EventID = "4688", ProcessCommandLine, CommandLine) as CmdLine
| if (EventID = "4688", SubjectUserName, User) as Username
| if (EventID = "4688", NewProcessName, Image) as ProcessName
| if (EventID = "4688", ParentProcessName, ParentImage) as ParentProcess
| toLowerCase(CmdLine) as CmdLineLower
| eval EncodedCmd = if(CmdLineLower matches "*-encodedcommand*" OR CmdLineLower matches "*-enc *" OR CmdLineLower matches "*-e *" OR CmdLineLower matches "*-ec *", 1, 0)
| eval DownloadCradle = if(CmdLineLower matches "*invoke-webrequest*" OR CmdLineLower matches "*iwr *" OR CmdLineLower matches "*net.webclient*" OR CmdLineLower matches "*downloadstring*" OR CmdLineLower matches "*downloadfile*" OR CmdLineLower matches "*downloaddata*" OR CmdLineLower matches "*start-bitstransfer*", 1, 0)
| eval AmsiBypass = if(CmdLineLower matches "*amsiutils*" OR CmdLineLower matches "*amsiinitfailed*" OR CmdLineLower matches "*setprotectionlevel*", 1, 0)
| eval PolicyBypass = if(CmdLineLower matches "*-executionpolicy bypass*" OR CmdLineLower matches "*-ep bypass*" OR CmdLineLower matches "*-ep unrestricted*", 1, 0)
| eval HiddenWindow = if(CmdLineLower matches "*-windowstyle hidden*" OR CmdLineLower matches "*-w hidden*", 1, 0)
| eval InvokeExpression = if(CmdLineLower matches "*invoke-expression*" OR CmdLineLower matches "*iex(*" OR CmdLineLower matches "*iex *", 1, 0)
| eval SuspicionScore = EncodedCmd + DownloadCradle + AmsiBypass + PolicyBypass + HiddenWindow + InvokeExpression
| where SuspicionScore > 0
| fields _messageTime, Computer, Username, ProcessName, CmdLine, ParentProcess, EncodedCmd, DownloadCradle, AmsiBypass, PolicyBypass, HiddenWindow, InvokeExpression, SuspicionScore
| sort by SuspicionScore, _messageTime desc

high severity high confidence

Data Sources

Windows Event Log collector (EventID 4688 with process command line auditing enabled) Sysmon via Sumo Logic Windows Event Log source (EventID 1)

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Automated patch management systems like WSUS or third-party updaters using PowerShell with hidden windows to install software silently in the background
Security operations scripts run by analysts that legitimately use encoded commands or Invoke-Expression for log parsing and artifact collection
RMM (Remote Monitoring and Management) tools such as ConnectWise Automate or NinjaRMM executing PowerShell scripts with execution policy bypasses for remote remediation tasks

Google Chronicle / SecOps

yaral

rule t1059_001_powershell_suspicious_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious PowerShell execution indicative of MITRE ATT&CK T1059.001 — PowerShell abuse for execution, download cradles, AMSI bypass, and encoded commands."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1059.001"
    reference = "https://attack.mitre.org/techniques/T1059/001/"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      $e.target.process.file.full_path = /(?i)\\(powershell|pwsh)\.exe$/ or
      $e.target.process.file.full_path = /(?i)\/(powershell|pwsh)$/
    )
    (
      $e.target.process.command_line = /(?i)-encodedcommand/ or
      $e.target.process.command_line = /(?i)-enc\s/ or
      $e.target.process.command_line = /(?i)-ec\s/ or
      $e.target.process.command_line = /(?i)invoke-webrequest/ or
      $e.target.process.command_line = /(?i)iwr\s/ or
      $e.target.process.command_line = /(?i)invoke-restmethod/ or
      $e.target.process.command_line = /(?i)net\.webclient/ or
      $e.target.process.command_line = /(?i)downloadstring/ or
      $e.target.process.command_line = /(?i)downloadfile/ or
      $e.target.process.command_line = /(?i)downloaddata/ or
      $e.target.process.command_line = /(?i)start-bitstransfer/ or
      $e.target.process.command_line = /(?i)amsiutils/ or
      $e.target.process.command_line = /(?i)amsiinitfailed/ or
      $e.target.process.command_line = /(?i)setprotectionlevel/ or
      $e.target.process.command_line = /(?i)-executionpolicy\s+bypass/ or
      $e.target.process.command_line = /(?i)-ep\s+bypass/ or
      $e.target.process.command_line = /(?i)-ep\s+unrestricted/ or
      $e.target.process.command_line = /(?i)-windowstyle\s+hidden/ or
      $e.target.process.command_line = /(?i)-w\s+hidden/ or
      $e.target.process.command_line = /(?i)invoke-expression/ or
      $e.target.process.command_line = /(?i)iex\(/ or
      $e.target.process.command_line = /(?i)frombase64string/ or
      $e.target.process.command_line = /(?i)invoke-mimikatz/ or
      $e.target.process.command_line = /(?i)invoke-shellcode/ or
      $e.target.process.command_line = /(?i)io\.compression/
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM events ingested from Microsoft Defender for Endpoint, CrowdStrike Falcon, Carbon Black, or Sysmon via Chronicle forwarder Windows Event Log ingested via Chronicle Forwarder or BindPlane (EventID 4688 with command line auditing)

Required Tables

UDM PROCESS_LAUNCH events (target.process.file.full_path, target.process.command_line)

False Positives

Enterprise software deployment tools (SCCM, Intune MDM) that execute PowerShell with -EncodedCommand as part of application installation or configuration enforcement
Legitimate administrative scripts used by help desk or SysAdmin teams that download tooling from internal shares using Net.WebClient or Invoke-WebRequest
Backup and monitoring agents (e.g., Veeam, SolarWinds) running PowerShell with hidden windows and download capabilities during scheduled maintenance tasks

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(powershell|pwsh)\.exe$/
| CommandLine = /(?i)(-encodedcommand|-enc\s|-e\s|-ec\s|invoke-webrequest|iwr\s|invoke-restmethod|net\.webclient|downloadstring|downloadfile|downloaddata|start-bitstransfer|amsiutils|amsiinitfailed|setprotectionlevel|-executionpolicy\s+bypass|-ep\s+bypass|-ep\s+unrestricted|-windowstyle\s+hidden|-w\s+hidden|invoke-expression|iex\(|frombase64string|invoke-mimikatz|invoke-shellcode|io\.compression)/
| eval EncodedCmd = if(CommandLine = /(?i)(-encodedcommand|-enc\s|-e\s|-ec\s)/, 1, 0)
| eval DownloadCradle = if(CommandLine = /(?i)(invoke-webrequest|iwr\s|invoke-restmethod|net\.webclient|downloadstring|downloadfile|downloaddata|start-bitstransfer)/, 1, 0)
| eval AmsiBypass = if(CommandLine = /(?i)(amsiutils|amsiinitfailed|setprotectionlevel)/, 1, 0)
| eval PolicyBypass = if(CommandLine = /(?i)(-executionpolicy\s+bypass|-ep\s+bypass|-ep\s+unrestricted)/, 1, 0)
| eval HiddenWindow = if(CommandLine = /(?i)(-windowstyle\s+hidden|-w\s+hidden)/, 1, 0)
| eval InvokeExpression = if(CommandLine = /(?i)(invoke-expression|iex\()/, 1, 0)
| eval SuspicionScore = EncodedCmd + DownloadCradle + AmsiBypass + PolicyBypass + HiddenWindow + InvokeExpression
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, EncodedCmd, DownloadCradle, AmsiBypass, PolicyBypass, HiddenWindow, InvokeExpression, SuspicionScore])
| sort(field=SuspicionScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon sensor telemetry (ProcessRollup2 events ingested into LogScale/Humio)

Required Tables

ProcessRollup2 (#event_simpleName=ProcessRollup2)

False Positives

CrowdStrike Falcon sensor itself or other EDR products spawning PowerShell sub-processes with encoded commands during automated threat investigation or response actions
Microsoft 365 compliance or Intune management agents executing PowerShell scripts with hidden window flags during device health attestation or policy enforcement
Internal DevOps tooling on developer workstations using PowerShell download methods (Invoke-WebRequest, Net.WebClient) to pull NuGet packages or build dependencies from internal feeds

PowerShell

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections