Detect PowerShell in Sumo Logic CSE
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. PowerShell can also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.001 PowerShell
- Canonical reference
- https://attack.mitre.org/techniques/T1059/001/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| where EventID in ("4688", "1")
| where (
(EventID = "4688" AND (NewProcessName matches "*\\powershell.exe" OR NewProcessName matches "*\\pwsh.exe"))
OR
(EventID = "1" AND (Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe"))
)
| if (EventID = "4688", ProcessCommandLine, CommandLine) as CmdLine
| if (EventID = "4688", SubjectUserName, User) as Username
| if (EventID = "4688", NewProcessName, Image) as ProcessName
| if (EventID = "4688", ParentProcessName, ParentImage) as ParentProcess
| toLowerCase(CmdLine) as CmdLineLower
| eval EncodedCmd = if(CmdLineLower matches "*-encodedcommand*" OR CmdLineLower matches "*-enc *" OR CmdLineLower matches "*-e *" OR CmdLineLower matches "*-ec *", 1, 0)
| eval DownloadCradle = if(CmdLineLower matches "*invoke-webrequest*" OR CmdLineLower matches "*iwr *" OR CmdLineLower matches "*net.webclient*" OR CmdLineLower matches "*downloadstring*" OR CmdLineLower matches "*downloadfile*" OR CmdLineLower matches "*downloaddata*" OR CmdLineLower matches "*start-bitstransfer*", 1, 0)
| eval AmsiBypass = if(CmdLineLower matches "*amsiutils*" OR CmdLineLower matches "*amsiinitfailed*" OR CmdLineLower matches "*setprotectionlevel*", 1, 0)
| eval PolicyBypass = if(CmdLineLower matches "*-executionpolicy bypass*" OR CmdLineLower matches "*-ep bypass*" OR CmdLineLower matches "*-ep unrestricted*", 1, 0)
| eval HiddenWindow = if(CmdLineLower matches "*-windowstyle hidden*" OR CmdLineLower matches "*-w hidden*", 1, 0)
| eval InvokeExpression = if(CmdLineLower matches "*invoke-expression*" OR CmdLineLower matches "*iex(*" OR CmdLineLower matches "*iex *", 1, 0)
| eval SuspicionScore = EncodedCmd + DownloadCradle + AmsiBypass + PolicyBypass + HiddenWindow + InvokeExpression
| where SuspicionScore > 0
| fields _messageTime, Computer, Username, ProcessName, CmdLine, ParentProcess, EncodedCmd, DownloadCradle, AmsiBypass, PolicyBypass, HiddenWindow, InvokeExpression, SuspicionScore
| sort by SuspicionScore, _messageTime descDetects suspicious PowerShell execution in Sumo Logic by parsing Windows Security (EventID 4688) and Sysmon (EventID 1) events. Normalizes field names across both sources, applies per-indicator scoring, and surfaces high-confidence events via suspicion score.
Data Sources
Required Tables
False Positives & Tuning
- Automated patch management systems like WSUS or third-party updaters using PowerShell with hidden windows to install software silently in the background
- Security operations scripts run by analysts that legitimately use encoded commands or Invoke-Expression for log parsing and artifact collection
- RMM (Remote Monitoring and Management) tools such as ConnectWise Automate or NinjaRMM executing PowerShell scripts with execution policy bypasses for remote remediation tasks
Other platforms for T1059.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Encoded Command Execution
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-EncodedCommand dwBoAG8AYQBtAGkA'. Security Event ID 4688 (if command line auditing enabled) with same details. PowerShell ScriptBlock Log Event ID 4104 will show the decoded content 'whoami'.
- Test 2Download Cradle via Net.WebClient
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Net.WebClient' and 'DownloadString'. Sysmon Event ID 3: Network Connection to 127.0.0.1:8080. PowerShell ScriptBlock Log Event ID 4104 with full script content. The connection will fail (no listener) but the process creation event still fires.
- Test 3AMSI Bypass via Reflection
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'AmsiUtils' and 'amsiInitFailed'. PowerShell ScriptBlock Log Event ID 4104 with the reflection code. Windows Defender Event ID 1116 (AMSI detection) in Microsoft-Windows-Windows Defender/Operational log.
- Test 4Execution Policy Bypass with Hidden Window
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing '-ExecutionPolicy Bypass' and '-WindowStyle Hidden'. File creation event (Sysmon Event ID 11) for the temp file. PowerShell ScriptBlock Log Event ID 4104.
References (8)
- https://attack.mitre.org/techniques/T1059/001/
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell
- https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion
- https://s3cur3th1ssh1t.github.io/Powershell-and-the-NET-AMSI-Interface/
Unlock Pro Content
Get the full detection package for T1059.001 including response playbook, investigation guide, and atomic red team tests.