Detect PowerShell in Microsoft Sentinel
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. PowerShell can also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.001 PowerShell
- Canonical reference
- https://attack.mitre.org/techniques/T1059/001/
KQL Detection Query
let SuspiciousPatterns = dynamic([
"-EncodedCommand", "-enc ", "-e ", "-ec ",
"Invoke-WebRequest", "IWR ", "Invoke-RestMethod",
"Net.WebClient", "DownloadString", "DownloadFile", "DownloadData",
"Start-BitsTransfer",
"AmsiUtils", "amsiInitFailed", "SetProtectionLevel",
"Invoke-Expression", "IEX(", "IEX ",
"-ExecutionPolicy Bypass", "-ep bypass", "-ep unrestricted",
"-WindowStyle Hidden", "-w hidden", "-windowstyle h",
"[Convert]::FromBase64String", "[System.Convert]::FromBase64String",
"Invoke-Mimikatz", "Invoke-Shellcode",
"New-Object IO.MemoryStream", "IO.Compression",
"bitsadmin", "certutil -urlcache"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe"
| where ProcessCommandLine has_any (SuspiciousPatterns)
| extend EncodedCmd = ProcessCommandLine has_any ("-EncodedCommand", "-enc ", "-e ", "-ec ")
| extend DownloadCradle = ProcessCommandLine has_any ("Invoke-WebRequest", "Net.WebClient", "DownloadString", "DownloadFile", "IWR ", "Start-BitsTransfer")
| extend AmsiBypass = ProcessCommandLine has_any ("AmsiUtils", "amsiInitFailed", "SetProtectionLevel")
| extend PolicyBypass = ProcessCommandLine has_any ("-ExecutionPolicy Bypass", "-ep bypass")
| extend HiddenWindow = ProcessCommandLine has_any ("-WindowStyle Hidden", "-w hidden")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
EncodedCmd, DownloadCradle, AmsiBypass, PolicyBypass, HiddenWindow
| sort by Timestamp descDetects suspicious PowerShell execution patterns using Microsoft Defender for Endpoint (MDE) DeviceProcessEvents table. Identifies encoded commands, download cradles (WebClient, Invoke-WebRequest, BitsTransfer), AMSI bypass attempts, execution policy bypasses, and hidden window execution. Uses has_any for case-insensitive partial matching against a dynamic array of known-malicious patterns.
Data Sources
Required Tables
False Positives & Tuning
- System administrators using encoded commands for legitimate automation scripts
- Software deployment tools (SCCM, Intune) that use encoded PowerShell for installation scripts
- Monitoring agents that use Invoke-WebRequest to check URLs or download updates
- IT automation platforms (Ansible WinRM, Chef, Puppet) executing PowerShell remotely
Other platforms for T1059.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Encoded Command Execution
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-EncodedCommand dwBoAG8AYQBtAGkA'. Security Event ID 4688 (if command line auditing enabled) with same details. PowerShell ScriptBlock Log Event ID 4104 will show the decoded content 'whoami'.
- Test 2Download Cradle via Net.WebClient
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Net.WebClient' and 'DownloadString'. Sysmon Event ID 3: Network Connection to 127.0.0.1:8080. PowerShell ScriptBlock Log Event ID 4104 with full script content. The connection will fail (no listener) but the process creation event still fires.
- Test 3AMSI Bypass via Reflection
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'AmsiUtils' and 'amsiInitFailed'. PowerShell ScriptBlock Log Event ID 4104 with the reflection code. Windows Defender Event ID 1116 (AMSI detection) in Microsoft-Windows-Windows Defender/Operational log.
- Test 4Execution Policy Bypass with Hidden Window
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing '-ExecutionPolicy Bypass' and '-WindowStyle Hidden'. File creation event (Sysmon Event ID 11) for the temp file. PowerShell ScriptBlock Log Event ID 4104.
References (8)
- https://attack.mitre.org/techniques/T1059/001/
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell
- https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion
- https://s3cur3th1ssh1t.github.io/Powershell-and-the-NET-AMSI-Interface/
Unlock Pro Content
Get the full detection package for T1059.001 including response playbook, investigation guide, and atomic red team tests.