title: PowerShell (T1059.001)
id: df00tech-t1059-001
status: experimental
description: "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. PowerShell can also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk."
references:
  - https://attack.mitre.org/techniques/T1059/001/
  - https://df00tech.com/detections/T1059.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1059.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - System administrators using encoded commands for legitimate automation scripts
  - "Software deployment tools (SCCM, Intune) that use encoded PowerShell for installation scripts"
  - Monitoring agents that use Invoke-WebRequest to check URLs or download updates
  - "IT automation platforms (Ansible WinRM, Chef, Puppet) executing PowerShell remotely"
level: high