Detect PowerShell in CrowdStrike LogScale
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. PowerShell can also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.001 PowerShell
- Canonical reference
- https://attack.mitre.org/techniques/T1059/001/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(powershell|pwsh)\.exe$/
| CommandLine = /(?i)(-encodedcommand|-enc\s|-e\s|-ec\s|invoke-webrequest|iwr\s|invoke-restmethod|net\.webclient|downloadstring|downloadfile|downloaddata|start-bitstransfer|amsiutils|amsiinitfailed|setprotectionlevel|-executionpolicy\s+bypass|-ep\s+bypass|-ep\s+unrestricted|-windowstyle\s+hidden|-w\s+hidden|invoke-expression|iex\(|frombase64string|invoke-mimikatz|invoke-shellcode|io\.compression)/
| eval EncodedCmd = if(CommandLine = /(?i)(-encodedcommand|-enc\s|-e\s|-ec\s)/, 1, 0)
| eval DownloadCradle = if(CommandLine = /(?i)(invoke-webrequest|iwr\s|invoke-restmethod|net\.webclient|downloadstring|downloadfile|downloaddata|start-bitstransfer)/, 1, 0)
| eval AmsiBypass = if(CommandLine = /(?i)(amsiutils|amsiinitfailed|setprotectionlevel)/, 1, 0)
| eval PolicyBypass = if(CommandLine = /(?i)(-executionpolicy\s+bypass|-ep\s+bypass|-ep\s+unrestricted)/, 1, 0)
| eval HiddenWindow = if(CommandLine = /(?i)(-windowstyle\s+hidden|-w\s+hidden)/, 1, 0)
| eval InvokeExpression = if(CommandLine = /(?i)(invoke-expression|iex\()/, 1, 0)
| eval SuspicionScore = EncodedCmd + DownloadCradle + AmsiBypass + PolicyBypass + HiddenWindow + InvokeExpression
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, EncodedCmd, DownloadCradle, AmsiBypass, PolicyBypass, HiddenWindow, InvokeExpression, SuspicionScore])
| sort(field=SuspicionScore, order=desc)Detects suspicious PowerShell execution in CrowdStrike LogScale (Humio) using Falcon ProcessRollup2 events. Applies per-indicator boolean scoring across encoded commands, download cradles, AMSI bypass, policy bypass, hidden windows, and Invoke-Expression. Results ranked by suspicion score.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon sensor itself or other EDR products spawning PowerShell sub-processes with encoded commands during automated threat investigation or response actions
- Microsoft 365 compliance or Intune management agents executing PowerShell scripts with hidden window flags during device health attestation or policy enforcement
- Internal DevOps tooling on developer workstations using PowerShell download methods (Invoke-WebRequest, Net.WebClient) to pull NuGet packages or build dependencies from internal feeds
Other platforms for T1059.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Encoded Command Execution
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-EncodedCommand dwBoAG8AYQBtAGkA'. Security Event ID 4688 (if command line auditing enabled) with same details. PowerShell ScriptBlock Log Event ID 4104 will show the decoded content 'whoami'.
- Test 2Download Cradle via Net.WebClient
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Net.WebClient' and 'DownloadString'. Sysmon Event ID 3: Network Connection to 127.0.0.1:8080. PowerShell ScriptBlock Log Event ID 4104 with full script content. The connection will fail (no listener) but the process creation event still fires.
- Test 3AMSI Bypass via Reflection
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'AmsiUtils' and 'amsiInitFailed'. PowerShell ScriptBlock Log Event ID 4104 with the reflection code. Windows Defender Event ID 1116 (AMSI detection) in Microsoft-Windows-Windows Defender/Operational log.
- Test 4Execution Policy Bypass with Hidden Window
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing '-ExecutionPolicy Bypass' and '-WindowStyle Hidden'. File creation event (Sysmon Event ID 11) for the temp file. PowerShell ScriptBlock Log Event ID 4104.
References (8)
- https://attack.mitre.org/techniques/T1059/001/
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell
- https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion
- https://s3cur3th1ssh1t.github.io/Powershell-and-the-NET-AMSI-Interface/
Unlock Pro Content
Get the full detection package for T1059.001 including response playbook, investigation guide, and atomic red team tests.