T1059.001 Splunk · SPL

Detect PowerShell in Splunk

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. PowerShell can also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.001 PowerShell
Canonical reference
https://attack.mitre.org/techniques/T1059/001/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
| eval CommandLine=lower(CommandLine)
| eval EncodedCmd=if(match(CommandLine, "(-encodedcommand|-enc\s|-e\s|-ec\s)"), 1, 0)
| eval DownloadCradle=if(match(CommandLine, "(invoke-webrequest|iwr\s|net\.webclient|downloadstring|downloadfile|downloaddata|start-bitstransfer|invoke-restmethod)"), 1, 0)
| eval AmsiBypass=if(match(CommandLine, "(amsiutils|amsiinitfailed|setprotectionlevel)"), 1, 0)
| eval PolicyBypass=if(match(CommandLine, "(-executionpolicy\s+bypass|-ep\s+bypass|-ep\s+unrestricted)"), 1, 0)
| eval HiddenWindow=if(match(CommandLine, "(-windowstyle\s+hidden|-w\s+hidden)"), 1, 0)
| eval InvokeExpression=if(match(CommandLine, "(invoke-expression|iex\(|iex\s)"), 1, 0)
| eval SuspicionScore=EncodedCmd + DownloadCradle + AmsiBypass + PolicyBypass + HiddenWindow + InvokeExpression
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, EncodedCmd, DownloadCradle, AmsiBypass, PolicyBypass, HiddenWindow, InvokeExpression, SuspicionScore
| sort - _time
high severity high confidence

Detects suspicious PowerShell execution using Sysmon Event ID 1 (Process Creation) logs. Evaluates command lines against multiple categories of suspicious behavior and assigns a cumulative suspicion score. Covers encoded commands, download cradles, AMSI bypasses, execution policy bypasses, hidden windows, and Invoke-Expression usage. The suspicion score helps analysts prioritize alerts with multiple indicators.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • System administrators using encoded commands for legitimate automation scripts
  • Software deployment tools (SCCM, Intune) that use encoded PowerShell for installation scripts
  • Monitoring agents that use Invoke-WebRequest to check URLs or download updates
  • IT automation platforms (Ansible WinRM, Chef, Puppet) executing PowerShell remotely
Download portable Sigma rule (.yml)

Other platforms for T1059.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Encoded Command Execution

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-EncodedCommand dwBoAG8AYQBtAGkA'. Security Event ID 4688 (if command line auditing enabled) with same details. PowerShell ScriptBlock Log Event ID 4104 will show the decoded content 'whoami'.

  2. Test 2Download Cradle via Net.WebClient

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Net.WebClient' and 'DownloadString'. Sysmon Event ID 3: Network Connection to 127.0.0.1:8080. PowerShell ScriptBlock Log Event ID 4104 with full script content. The connection will fail (no listener) but the process creation event still fires.

  3. Test 3AMSI Bypass via Reflection

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'AmsiUtils' and 'amsiInitFailed'. PowerShell ScriptBlock Log Event ID 4104 with the reflection code. Windows Defender Event ID 1116 (AMSI detection) in Microsoft-Windows-Windows Defender/Operational log.

  4. Test 4Execution Policy Bypass with Hidden Window

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing '-ExecutionPolicy Bypass' and '-WindowStyle Hidden'. File creation event (Sysmon Event ID 11) for the temp file. PowerShell ScriptBlock Log Event ID 4104.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1059.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1027Obfuscated Files or InformationT1027.010Command ObfuscationT1059.003Windows Command ShellT1105Ingress Tool TransferT1562.001Disable or Modify ToolsT1047Windows Management InstrumentationT1021.006Windows Remote ManagementT1053.005Scheduled Task

Same Tactic: Execution

Popular Detections